That KB is to turn Junos-ES into a router device..
the first part:
no-syn-check;
no-syn-check-in-tunnel;
no-sequence-check;
Basically turns off *all* state full tcp. At that point you might as well be
using stateless acl's.
The next portion is to disable the ALG's (application layer gateways). Again
if the end goal here is to use this device as a router, I agree with it.
If you're trying to use the security{} options as a firewall then do *not*
follow that KB.
Good luck,
-Tim Eberhard
On Mon, Apr 6, 2009 at 1:37 AM, <t...@osystems.ru> wrote:
>
>
> KB11963 recommends also add
> flow (
> allow-dns-reply;
> tcp-session (
> no-syn-check;
> no-syn-check-in-tunnel;
> no-sequence-check;
> )
> )
>
> and
>
> alg (
> dns disable;
> ftp disable;
> h323 disable;
> mgcp disable;
> real disable;
> rsh disable;
> rtsp disable;
> sccp disable;
> sip disable;
> sql disable;
> talk disable;
> tftp disable;
> pptp disable;
> msrpc disable;
> sunrpc disable;
> )
>
> as well as
> zones (
> security-zone trust (
> tcp-rst;
>
> Is there a meaning to make these changes?
>
>
>
>
> On Fri, 03 Apr 2009 15:04:58 +0200, Tomasz Klicki <tom...@klicki.pl>
> wrote:
> > t...@osystems.ru pisze:
> >> Please give me a sample configuration, security {} for the JUNOS
> Software
> >> Release [9.4R1.8] (Export edition) Enhanced Services for the BGP router
> >> (border router).
> >
> > Here you are:
> >
> > security {
> > zones {
> > security-zone zone_default {
> > host-inbound-traffic {
> > system-services {
> > all;
> > }
> > protocols {
> > all;
> > }
> > }
> > interfaces {
> > all;
> > }
> > }
> > }
> > policies {
> > default-policy {
> > permit-all;
> > }
> > }
> > }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
