Mailing List Archive

Sylog port filtering
Hi all,

In regards to block sylog(514)/udp port to prevent sylog-flood attack, I
did some filtering on my m-series as below,


Configure firewall filtering
============================
firewall {
policer udp-250k {
if-exceeding {
bandwidth-limit 250k;
burst-size-limit 25k;
}
then discard;
filter inbound-filter {
term 9 {
from {
protocol udp;
}
then {
count policer-udp-250k;
accept;
}
}
term 12 {
from {
protocol udp;
destination-port syslog;
}
then {
reject;
}
}

Apply in specific interface
==========================
ds3-0/2/0 {
unit 0 {
family inet {
filter {
input inbound-filter;
}
address x.y.z.250/30;
}
}


after I applied this filter, I did port-scan my router by using nmap-3.20
and found...


C:\boljug\nmap\nmap-3.20>nmap -sU x.y.z.250

Starting nmap 3.20 ( www.insecure.org/nmap ) at 2003-04-09 01:29 SE Asia
Standard Time
Interesting ports on x.y.z.250:
(The 1469 ports scanned but not shown below are in state: closed)
Port State Service
514/udp open syslog
Nmap run completed -- 1 IP address (1 host up) scanned in 31.516 seconds

I m really not sure whats wrong with my m-series or nmap using stealth
probes-technique so it can bypass the firewall filtering or need to apply
this filter on my RE ? Please advise.
As addition I use Junos 5.6R1.


Any helps/comments really apreciated.


Regards
Hendro


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
Sylog port filtering [ In reply to ]
Hendro,

Put term 12 before term 9 and see if it works as expected.

Right now you "count" and "accept" everything with term 9 since it matches all udp traffic before it even gets to term 12. The order of your terms matters.

I assume you also want to police UDP traffic, so you should add "policer udp-250k" in the then clause in term 9 for this action to take effect.


-Julian

**************************
Julian Eccli, JNCIE-M #32
Juniper Networks, JTAC
www.juniper.net
**************************

> -----Original Message-----
> From: hhadiwinoto@hotpop.com [mailto:hhadiwinoto@hotpop.com]
> Sent: Thursday, April 10, 2003 7:15 PM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] Sylog port filtering
>
>
> Hi all,
>
> In regards to block sylog(514)/udp port to prevent
> sylog-flood attack, I
> did some filtering on my m-series as below,
>
>
> Configure firewall filtering
> ============================
> firewall {
> policer udp-250k {
> if-exceeding {
> bandwidth-limit 250k;
> burst-size-limit 25k;
> }
> then discard;
> filter inbound-filter {
> term 9 {
> from {
> protocol udp;
> }
> then {
> count policer-udp-250k;
> accept;
> }
> }
> term 12 {
> from {
> protocol udp;
> destination-port syslog;
> }
> then {
> reject;
> }
> }
>
> Apply in specific interface
> ==========================
> ds3-0/2/0 {
> unit 0 {
> family inet {
> filter {
> input inbound-filter;
> }
> address x.y.z.250/30;
> }
> }
>
>
> after I applied this filter, I did port-scan my router by
> using nmap-3.20
> and found...
>
>
> C:\boljug\nmap\nmap-3.20>nmap -sU x.y.z.250
>
> Starting nmap 3.20 ( www.insecure.org/nmap ) at 2003-04-09
> 01:29 SE Asia
> Standard Time
> Interesting ports on x.y.z.250:
> (The 1469 ports scanned but not shown below are in state: closed)
> Port State Service
> 514/udp open syslog
> Nmap run completed -- 1 IP address (1 host up) scanned in
> 31.516 seconds
>
> I m really not sure whats wrong with my m-series or nmap using stealth
> probes-technique so it can bypass the firewall filtering or
> need to apply
> this filter on my RE ? Please advise.
> As addition I use Junos 5.6R1.
>
>
> Any helps/comments really apreciated.
>
>
> Regards
> Hendro
>
>
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
AW: Sylog port filtering [ In reply to ]
Hi Hendro,

the term9 which rejects syslog has to occur before term12 in your firewall
filter.

/Olaf

-----Urspr?ngliche Nachricht-----
Von: hhadiwinoto@hotpop.com [mailto:hhadiwinoto@hotpop.com]
Gesendet: Freitag, 11. April 2003 04:15
An: juniper-nsp@puck.nether.net
Betreff: [j-nsp] Sylog port filtering


Hi all,

In regards to block sylog(514)/udp port to prevent sylog-flood attack, I
did some filtering on my m-series as below,


Configure firewall filtering
============================
firewall {
policer udp-250k {
if-exceeding {
bandwidth-limit 250k;
burst-size-limit 25k;
}
then discard;
filter inbound-filter {
term 9 {
from {
protocol udp;
}
then {
count policer-udp-250k;
accept;
}
}
term 12 {
from {
protocol udp;
destination-port syslog;
}
then {
reject;
}
}

Apply in specific interface
==========================
ds3-0/2/0 {
unit 0 {
family inet {
filter {
input inbound-filter;
}
address x.y.z.250/30;
}
}


after I applied this filter, I did port-scan my router by using nmap-3.20
and found...


C:\boljug\nmap\nmap-3.20>nmap -sU x.y.z.250

Starting nmap 3.20 ( www.insecure.org/nmap ) at 2003-04-09 01:29 SE Asia
Standard Time
Interesting ports on x.y.z.250:
(The 1469 ports scanned but not shown below are in state: closed)
Port State Service
514/udp open syslog
Nmap run completed -- 1 IP address (1 host up) scanned in 31.516 seconds

I m really not sure whats wrong with my m-series or nmap using stealth
probes-technique so it can bypass the firewall filtering or need to apply
this filter on my RE ? Please advise.
As addition I use Junos 5.6R1.


Any helps/comments really apreciated.


Regards
Hendro


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp