Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

internet-options

 

Syntax

Hierarchy Level

Release Information

Statement introduced before Junos OS Release 7.4.

Statement introduced in Junos OS Release 9.0 for EX Series switches.

Statement introduced in Junos OS Release 11.1 for SRX Series devices.

icmpv4-rate-limit statement introduced in Junos OS Release 11.1 for the QFX Series and Junos OS Release 14.1X53-D20 for the OCX Series.

no-tcp-reset introduced in Junos OS Release 11.1 for SRX Series and vSRX devices.

source-port introduced in Junos OS Release 11.1 for the QFX Series and Junos OS Release 14.1X53-D20 for the OCX Series.

Statement introduced in Junos OS Release 14.1X53-D20 for the OCX Series.

Description

Configure system IP options to protect against certain types of DoS attacks.

Options

gre-path-mtu-discovery(ACX Series, EX Series, Junos Fusion, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Configure path MTU discovery for outgoing GRE tunnel connections. By default, path MTU discovery is enabled.
  • no-gre-path-mtu-discovery—Path MTU discovery is disabled.

icmpv4-rate-limitConfigure rate-limiting parameters for ICMPv4 messages sent.

Values:

  • bucket-size seconds—Number of seconds in the rate-limiting bucket. Range: 0 through 4294967295 seconds. Default: 5.

  • packet-rate pps—Rate-limiting packets earned per second. Range: 0 through 4294967295 pps. Default: 1000.

icmpv6-rate-limit(ACX Series, MX Series, SRX Series only) Configure rate-limiting parameters for ICMPv6 messages sent.

Values:

  • bucket-size seconds—Number of seconds in the rate-limiting bucket. Range: 0 through 4294967295 seconds. Default: 5.

  • packet-rate pps—Rate-limiting packets earned per second. Range: 0 through 4294967295 pps. Default: 1000.

ipip-path-mtu-discovery(ACX Series, EX Series, Junos Fusion, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Configure path MTU discovery for outgoing IP-IP tunnel connections. By default, path MTU discovery is enabled.
  • no-ipip-path-mtu-discovery—Path MTU discovery is disabled.

ipv6-duplicate-addr-detection-transmits(EX Series, M Series, MX Series, PTX Series, SRX Series, T Series) Control the number of attempts for IPv6 duplicate address detection.

Range: 0 to 20

Default: 3

ipv6-path-mtu-discovery(ACX Series, EX Series, Junos Fusion, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Configure path MTU discovery for IPv6 packets. By default, IPv6 path MTU discovery is enabled.
  • no-ipv6-path-mtu-discovery—IPv6 path MTU discovery is disabled.

ipv6-path-mtu-discovery-timeout(ACX Series, EX Series, Junos Fusion, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Set the IPv6 path MTU discovery timeout interval.

Values: minutes—IPv6 path MTU discovery timeout.

Default: 10 minutes.

ipv6-reject-zero-hop-limit(EX Series, M Series, MX Series, PTX Series, SRX Series, T Series) Reject incoming IPv6 packets with a zero hop limit value in their header.
  • no-ipv6-reject-zero-hop-limit—Allow incoming IPv6 packets with a zero hop limit value in their header.

no-tcp-reset(SRX Series and vSRX) Do not send a RST TCP packet (a packet with the reset flag set) in response to a TCP packet received on a non-listening port.

When no-tcp-reset is not enabled, a device sends a TCP packet with the RST flag when a TCP packet is received on a non-listening port and drops the connection. This might lead to a security risk. Configuring this statement prevents the sending of RST TCP packets to non-listening ports.

You must configure this statement with one of two options:

  • drop-all-tcp—When a TCP segment is received on a closed port, the device drops the packet and does not send back a RST segment. This helps to protect against stealth port scans.

  • drop-tcp-with-syn-only—When a TCP packet with a SYN bit is received on a non-listening port, the device drops the packet and does not send back a RST segment, which makes the device appear as a black hole. For all other TCP packets, the device sends back a RST segment and does not drop the packet.

no-tcp-rfc1323(EX Series, PTX Series, SRX Series only) Configure the Junos OS to disable RFC 1323 TCP extensions.
no-tcp-rfc1323-paws(EX Series, M Series, MX Series, PTX Series, SRX Series, T Series only) Configure the Junos OS to disable the RFC 1323 Protection Against Wrapped Sequence (PAWS) number extension.
path-mtu-discovery(ACX Series, EX Series, Junos Fusion, OCX Series, PTX Series, QFX Series, SRX Series, T Series) Configure path MTU discovery for outgoing Transmission Control Protocol (TCP). By default, path MTU discovery is enabled.
  • no-path-mtu-discovery—Path MTU discovery is disabled.

source-port(SRX Series only) Configure the range of port addresses starting in Junos OS Release 11.1 for the QFX Series and Junos OS Release 14.1X53-D20 for the OCX Series.

Values:

  • upper-limit upper-limit—(Optional) The range of port addresses can be a value from 5000 through 65,355.

source-quench(M Series, MX Series, SRX Series, T Series only) Configure how the Junos OS handles Internet Control Message Protocol (ICMP) source quench messages. By default, the Junos OS reacts to ICMP source quench messages.
  • no-source-quench—Do not react to incoming ICMP source quench messages.

tcp-drop-synfin-set(EX Series, M Series, MX Series, PTX Series, SRX Series, T Series only) Configure the router or switch to drop packets that have both the SYN and FIN bits set.

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.