palanchi at rutgers
May 1, 2012, 1:28 PM
Post #1 of 1
(194 views)
Permalink
|
|
DNS signed zone and IP Fragments
|
|
I'm looking for a firewall packet filter to deal with IP Fragments as described in the link below.
https://lists.isc.org/pipermail/bind-users/2010-February/078917.html
We run a pair of MX240's with 10.1R3.7 at the edge. Running stateless firewall filters inbound on Internet handoffs allowing certain tcp and udp ports. I'm having a problem with non-initial fragments not getting through. We have a temporary workaround, but it is not a global solution at all.
I was thinking that firewall filter processing for fragments such as below could be a solution, but it's scary to open the flood gates. Interested to hear how others have dealt with this. Any thoughts?
term ip-fragments-1 {
from {
first-fragment;
}
then policer IP-FRAG-Policer;
}
term ip-fragments-2 {
from {
fragment-offset 64-8191;
}
then policer IP-FRAG-Policer;
}
policer IP-FRAG-Policer
filter-specific;
if-exceeding {
bandwidth-limit 8k;
burst-size-limit 1500;
}
then discard;
Thanks,
Phil
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp
|
