[j-nsp] Weird SRX flow timeout issue
Benny Amorsen
benny+usenet at amorsen.dk
Mon Nov 12 14:43:38 EST 2012
Tim Eberhard <xmin0s at gmail.com> writes:
> While I haven't read this entire thread, it's worth mentioning that
> this is a correct statement. TCP connections (by default) must be
> initiated by a standard 3-way handshake. You can disabled this by
> turning off tcp-syn-checking under security -> flow.
>
> I wouldn't recommend it however, as enforcing proper TCP state is
> always a good security practice.
Enforcing proper TCP state is certainly good security practice. Dropping
a TCP session with active TCP keepalives is simply buggy and wrong.
That does not have anything to do with the 3-way handshake or
tcp-syn-checking which should be on.
/Benny
More information about the juniper-nsp
mailing list