Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Default Deny-All and Reject Rules

    By default, security devices running Junos OS deny traffic unless rules are explicitly created to allow it using the following command:

    [edit]user@host#set security policies default-policy deny-all

    You can configure your security devices running Junos OS to enforce the following default reject rules with logging on all network traffic:

    • Invalid fragments
    • Fragmented IP packets that cannot be reassembled completely
    • Where the source address is equal to the address of the network interface
    • Where the source address does not belong to the networks associated with the network interface
    • Where the source address is defined as being on a broadcast network
    • Where the source address is defined as being on a multicast network
    • Where the source address is defined as being a loopback address
    • Where the source address is a multicast packet
    • Where the source or destination address is a link-local address
    • Where the source or destination address is defined as being an address “reserved for future use” as specified in RFC 5735 for IPv4
    • Where the source or destination address is defined as an “unspecified address” or an address “reserved for future definition and use” as specified in RFC 3513 for IPv6
    • With the IP option Loose Source Routing, Strict Source Routing, or Record Route is specified

    Modified: 2015-01-15