Re: port scan to juniper fw

[aditya mukadam <aditya.mukadam () gmail com>]

Yes, I have verified and also have the relevant logs with me from the
'flow filter' .

Thanks,
Aditya Govind Mukadam

On Wed, Nov 4, 2009 at 2:49 PM, Chris Brenton <cbrenton () chrisbrenton org> wrote:
> On Thu, 2009-10-29 at 08:22 +0530, aditya mukadam wrote:
> > Juniper FW Anti-spoofing mechnism's logic is to check the
> > route for the incoming SRC-IP. If the packet with SRC-IP a.b.c.d
> > enters firewall via interface 'X' and the route on the firewall for
> > a.b.c.d is to interface 'Y, this packet will be dropped due to
> > anti-spoofing because it is entering via an interface through which it
> > is not expected to be sent back.
>
> Have you verified this? Last time I tested their anti-spoofing it didn't
> actually drop the packet. It would pass it through and then follow it up
> with a host unreachable (to the target) in order to kill the session.
>
> What was odd was the TTL would get decremented by 2. My best guess is it
> was the single honed IPS code dealing with the spoofing and that was
> introducing an extra routing hop.
>
> I have not tested this for a few years, so they may have rewritten how
> they handle it. Just curious if you have checked this or if you are
> going by the docs.
>
> HTH,
> Chris
> --
> www.chrisbrenton.org

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------