On 24/05/13 16:05, Alex Arseniev wrote:
At the moment, the SRX is sitting in front of our "personally owned"
VRF; this means all our wireless and wired laptops, and RAS VPN
address ranges.
If You run any kind peer-to-peer apps (uTorrent, eMule, etc, also
includes Skype) then You'll see that outside peers trying to establish
LOADS of unsolicited connection to Your inside hosts.
And all of them will be dropped unless You enable full cone NAT.
Good suggestion, but that's not it.
Firstly we don't have *any* NAT in play - all the devices are on public
IPs. Secondly, as mentioned all the policies are default permit, so any
unsolicited connections would be allowed. Thirdly, this SRX is actually
behind *another* firewall (Netscreen 5400s) that will eat the
unsolicited connections before the SRX sees them ;o)
Related to that 3rd item, as per my other email *if* that counter would
increment for failed 3-way handshakes, it's possible that the "drops"
are failed sessions which are allowed by the permit-all on the SRX, but
then denied by the Netscreen (e.g. SMTP/25, SMB/139, which we block
outbound). So, as per my other email - does anyone know *what* that
counter is counting?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp