Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

no-tcp-reset

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.4.

Description

Do not send RST TCP packets for packets sent to non-listening ports.

By default, a device sends a TCP packet with the RST flag when a TCP packet is received on a non-listening port. This might lead to a security risk. Configuring this statement prevents the sending of RST TCP packets to non-listening ports. This is accomplished in one of the following methods:

  • When a TCP SYN segment is received on a port where there is no socket accepting connections, the device returns an RST segment and drops the connection. The device attempting to connect is refused connection.

  • When a TCP packet with a SYN bit is received, it is dropped and no RST segment is sent back making the device appear as a blackhole.

  • When a TCP segment without a SYN bit is received on a closed port, it is dropped without sending back an RST segment. This is helpful against stealth port scans.

Options

drop-all-tcpDrop all TCP packets.
drop-tcp-with-syn-onlyDrop only those packets with SYN bit.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Related Documentation