Pavel Lunin writes:
>I tried to test it myself on a couple of enterprise edge routers,
>forwarding just about 30 Mbps each, and got quite stable value of
>FIN/SYN ratio -- approx 90%. RST number is about 1.5% of SYNs.
Be aware that "tcp-flags" looks at the bits at a fixed offset in
the packet without checking to see that the packet is TCP. This
allows the protocol check to be performed once manually in a filter
chain instead of checking it automatically all the time, but it
does cause some confusion.
The fix is to add at the top of your filter:
term accept-non-tcp {
from {
protocol-except tcp;
}
then accept;
}
Also you may want to use:
tcp-flags "syn & !ack";
in term SYN to match only connection requests.
Thanks,
Phil
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
