Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Configuring Default Deny-All and Reject Rules
By default, security devices running Junos OS deny traffic unless rules are explicitly created to allow it using the following command:
[edit]user@host#set security policies default-policy
deny-all
You can configure your security devices running Junos OS to enforce the following default reject rules with logging on all network traffic:
- Invalid fragments
- Fragmented IP packets that cannot be reassembled completely
- Where the source address is equal to the address of the network interface
- Where the source address does not belong to the networks associated with the network interface
- Where the source address is defined as being on a broadcast network
- Where the source address is defined as being on a multicast network
- Where the source address is defined as being a loopback address
- Where the source address is a multicast packet
- Where the source or destination address is a link-local address
- Where the source or destination address is defined as being an address “reserved for future use” as specified in RFC 5735 for IPv4
- Where the source or destination address is defined as an “unspecified address” or an address “reserved for future definition and use” as specified in RFC 3513 for IPv6
- With the IP option Loose Source Routing, Strict Source Routing, or Record Route is specified
