Mailing List Archive

Preventing router from giving up it's IP in traceroutes
Is there any reliable non-kludge way of making the juniper not send out
time-exceeded responses, or doing it from a consistently incorrect address?

# show firewall filter route-engine-out
term no-expire-out {
from {
icmp-type time-exceeded;
}
then discard;
}
term allow-rest {
then accept;
}

[edit]

Applying this as an outbound filter on lo0 seems to have no effect.
I could put a filter on all interfaces, but this seems to be too much work
to maintain...

--Phil
ISPrime
Preventing router from giving up it's IP in traceroutes [ In reply to ]
Have you tried applying it to fxp0?

-- steve

-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Phil Rosenthal
Sent: Wednesday, February 12, 2003 7:19 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Preventing router from giving up it's IP in traceroutes

Is there any reliable non-kludge way of making the juniper not send out
time-exceeded responses, or doing it from a consistently incorrect
address?

# show firewall filter route-engine-out
term no-expire-out {
from {
icmp-type time-exceeded;
}
then discard;
}
term allow-rest {
then accept;
}

[edit]

Applying this as an outbound filter on lo0 seems to have no effect.
I could put a filter on all interfaces, but this seems to be too much
work
to maintain...

--Phil
ISPrime

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
Preventing router from giving up it's IP in traceroutes [ In reply to ]
I doubt that applying it to fxp0 would help in this case. I can see two
feasible explainations to the behavior observed: old JunOS version, before
all data exchange between re and routing plane was made to "go" via lo0 (so
the only way was to apply filters to all interfaces), and a bug. I suggest
raising this case with your friendly TAC.

SY,
--
D.K.

On Wed, Feb 12, 2003 at 11:17:38PM -0600, Stephen Gill wrote:
> Have you tried applying it to fxp0?
>
> -- steve
>
> -----Original Message-----
> From: juniper-nsp-bounces@puck.nether.net
> [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Phil Rosenthal
> Sent: Wednesday, February 12, 2003 7:19 PM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] Preventing router from giving up it's IP in traceroutes
>
> Is there any reliable non-kludge way of making the juniper not send out
> time-exceeded responses, or doing it from a consistently incorrect
> address?
>
> # show firewall filter route-engine-out
> term no-expire-out {
> from {
> icmp-type time-exceeded;
> }
> then discard;
> }
> term allow-rest {
> then accept;
> }
>
> [edit]
>
> Applying this as an outbound filter on lo0 seems to have no effect.
> I could put a filter on all interfaces, but this seems to be too much
> work
> to maintain...