I'm looking for a firewall packet filter to deal with IP Fragments as described in the link below.
https://lists.isc.org/pipermail/bind-users/2010-February/078917.html We run a pair of MX240's with 10.1R3.7 at the edge. Running stateless firewall filters inbound on Internet handoffs allowing certain tcp and udp ports. I'm having a problem with non-initial fragments not getting through. We have a temporary workaround, but it is not a global solution at all. I was thinking that firewall filter processing for fragments such as below could be a solution, but it's scary to open the flood gates. Interested to hear how others have dealt with this. Any thoughts? term ip-fragments-1 { from { first-fragment; } then policer IP-FRAG-Policer; } term ip-fragments-2 { from { fragment-offset 64-8191; } then policer IP-FRAG-Policer; } policer IP-FRAG-Policer filter-specific; if-exceeding { bandwidth-limit 8k; burst-size-limit 1500; } then discard; Thanks, Phil _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
