[j-nsp] inet6 ttl filter / equivalent of hop-limit on non MX series

Dave Bell me at geordish.org
Mon Nov 23 04:27:44 EST 2015 

Hi Scott,

I would drop that accept-traceroute-tcp term. It will allow any TCP
traffic with a TTL of 1. If you can fudge your TTL (Simple on linux,
just write the value to /proc/sys/net/ipv4/ip_default_ttl) then you
can connect to any open TCP port. Additionally I don't think I've seen
a legitimate use case for TCP traceroute.

As for how to implement this in IPv6... I'm unsure. I suspect without
the hop-limit statement being available you are going to be stuffed.
You could just make do with ICMP traceroute, and don't bother with
checking the TTL field.

Regards,
Dave

On 22 November 2015 at 04:22, Scott <scttlists at gmail.com> wrote:
> Hi All,
>
> I am currently rewriting the inet6 firewall on a M120 and I am trying to
> figure out how I can effectively filter traceroutes, especially tcp, as
> hop-limit is supported on MX MIC/MPC only.
>
> Any pointers are highly appreciated
>
> The config is largely based on the Day One books, here is the inet version
> I am trying to convert
>
>     filter accept-traceroute {
>         apply-flags omit;
>         term accept-traceroute-udp {
>             from {
>                 destination-prefix-list {
>                     router-ips-ipv4;
>                     router-ips-logisys-ipv4;
>                 }
>                 protocol udp;
>                 ttl 1;
>                 destination-port 33434-33523;
>             }
>             then {
>                 policer management-1m;
>                 count accept-traceroute-udp;
>                 accept;
>             }
>         }
>         term accept-traceroute-icmp {
>             from {
>                 destination-prefix-list {
>                     router-ips-ipv4;
>                     router-ips-logisys-ipv4;
>                 }
>                 protocol icmp;
>                 ttl 1;
>                 icmp-type [ echo-request timestamp time-exceeded ];
>             }
>             then {
>                 policer management-1m;
>                 count accept-traceroute-icmp;
>                 accept;
>             }
>         }
>         term accept-traceroute-tcp {
>             from {
>                 destination-prefix-list {
>                     router-ips-ipv4;
>                     router-ips-logisys-ipv4;
>                 }
>                 protocol tcp;
>                 ttl 1;
>             }
>             then {
>                 policer management-1m;
>                 count accept-traceroute-tcp;
>                 accept;
>             }
>         }
>     }
>
> Thanks,
>
> Scott
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list