Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

internet-options

 

Syntax

Hierarchy Level

Release Information

Statement introduced before Junos OS Release 7.4.

no-tcp-reset introduced in Junos OS Release 9.4.

no-tcp-reset introduced in Junos OS Release 11.1 for SRX Series and vSRX devices.

icmpv4-rate-limit and source-port introduced in Junos OS Release 11.1 for the QFX Series and Junos OS Release 14.1X53-D20 for the OCX Series.

Description

Configure system IP options to protect against certain types of DoS attacks.

Options

gre-path-mtu-discovery(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Configure path MTU discovery for outgoing GRE tunnel connections. By default, path MTU discovery is enabled.
  • no-gre-path-mtu-discovery—Path MTU discovery is disabled.

icmpv4-rate-limitConfigure rate-limiting parameters for ICMPv4 messages sent.

Values:

  • bucket-size seconds—Number of seconds in the rate-limiting bucket. Range: 0 through 4294967295 seconds. Default: 5.

  • packet-rate pps—Rate-limiting packets earned per second. Range: 0 through 4294967295 pps. Default: 1000.

icmpv6-rate-limit(ACX Series, EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series) Configure rate-limiting parameters for ICMPv6 messages sent.

Values:

  • bucket-size seconds—Number of seconds in the rate-limiting bucket. Range: 0 through 4294967295 seconds. Default: 5.

  • packet-rate pps—Rate-limiting packets earned per second. Range: 0 through 4294967295 pps. Default: 1000.

ipip-path-mtu-discovery(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Configure path MTU discovery for outgoing IP-IP tunnel connections. By default, path MTU discovery is enabled.
  • no-ipip-path-mtu-discovery—Path MTU discovery is disabled.

ipv6-duplicate-addr-detection-transmitsControl the number of attempts for IPv6 duplicate address detection.

Range: 0 to 20

Default: 3

ipv6-path-mtu-discovery(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Configure path MTU discovery for IPv6 packets. By default, IPv6 path MTU discovery is enabled.
  • no-ipv6-path-mtu-discovery—IPv6 path MTU discovery is disabled.

ipv6-path-mtu-discovery-timeout(ACX Series, EX Series, Junos Fusion, M Series, MX Series, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Set the IPv6 path MTU discovery time-out interval.

Values: minutes—IPv6 path MTU discovery timeout.

Default: 10 minutes.

ipv6-reject-zero-hop-limitReject incoming IPv6 packets with a zero hop-limit value in their header. This is enabled by default.
  • no-ipv6-reject-zero-hop-limit—Allow incoming IPv6 packets with a zero hop-limit value in their header.

no-tcp-resetDo not send an RST TCP packet (a packet with the reset flag set) in response to a TCP packet received on a non-listening port.

By default, when a TCP packet is received on a non-listening port, a device sends a TCP packet with the RST flag set and drops the connection. This might lead to a security risk. Configuring this statement prevents the sending of RST TCP packets to non-listening ports.

You must configure this statement with one of two options:

  • drop-all-tcp—When a TCP segment is received on a closed port, the device drops the packet and does not send back a RST segment. This helps to protect against stealth port scans.

  • drop-tcp-with-syn-only—When a TCP packet with a SYN bit is received on a non-listening port, the device drops the packet and does not send back a RST segment, which makes the device appear as a null route. For all other TCP packets, the device sends back a RST segment and does not drop the packet.

no-tcp-rfc1323Configure the Junos OS to disable RFC 1323 TCP extensions.
no-tcp-rfc1323-pawsConfigure the Junos OS to disable the RFC 1323 Protection Against Wrapped Sequence (PAWS) number extension.
path-mtu-discoveryConfigure path MTU discovery for outgoing Transmission Control Protocol (TCP) connections. By default, path MTU discovery is enabled.
  • no-path-mtu-discovery—Path MTU discovery is disabled.

source-portConfigure the range of port addresses.

Values:

  • upper-limit upper-limit—(Optional) The range of port addresses can be a value from 5000 through 65,355.

source-quenchConfigure how the Junos OS handles Internet Control Message Protocol (ICMP) source quench messages. By default, the Junos OS reacts to ICMP source quench messages.
  • no-source-quench—Do not react to incoming ICMP source quench messages.

tcp-drop-synfin-setConfigure the device to drop packets that have both the SYN and FIN bits set.

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.