Configuring Internet Options (NSM Procedure)

You can configure the system Internet Protocol (IP) options to protect the system against certain types of Denial of Service (DoS) attacks.

To configure internet options:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure the internet options.
  3. Click the Configuration tab. In the configuration tree, select System > Internet Options.
  4. Add or modify the settings as specified in Table 183.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.
    • Apply—Applies the internet options configuration settings.

Table 183: Internet Options Configuration Details

Option

Function

Your Action

Comment

Supplies a descriptive comment for the internet option.

(Optional) Enter a comment.

None / path-mtu-discovery / no-path-mtu-discovery

Specifies that you can determine the Maximum Transmission Unit (MTU) size on the network path between two IP hosts.

Select an option.

  • path-mtu-discovery-Path MTU discovery is enabled.
  • no-path-mtu-discovery-Path MTU discovery is disabled.
  • None-Path MTU discovery is neither enabled nor disabled.

None / gre-path-mtu-discovery / no-gre-path-mtu-discovery

Specifies that you can configure a path MTU discovery for outgoing Generic Routing Encapsulation (GRE) tunnel connections.

Select an option.

  • gre-path-mtu-discovery-GRE path MTU discovery is enabled.
  • no-gre-path-mtu-discovery-GRE path MTU discovery is disabled.
  • None-GRE path MTU discovery is neither enabled nor disabled.

None / ipip-path-mtu-discovery / no-ipip-path-mtu-discovery

Specifies that you can configure path MTU discovery for outgoing IP-IP tunnel connections.

Select an option.

  • ipip-path-mtu-discovery-IP-IP path MTU discovery is enabled.
  • no-ipip-path-mtu-discovery-IP-IP path MTU discovery is disabled.
  • None-IP-IP path MTU discovery is neither enabled nor disabled.

None / source-quench / no-source-quench

Specifies that you can configure how the Junos OS would handle the Internet Control Message Protocol (ICMP) source quench messages.

Select an option:

  • source-quench-The Junos OS ignores the ICMP source quench messages.
  • no-source-quench-The Junos OS does not ignore the ICMP source quench messages.
  • None-ICMP source quench message is neither enabled nor disabled.

Tcp Drop Synfin Set

Specifies that the TCP packets that have both SYN and FIN flags can be dropped.

Select Tcp Drop Synfin Set to enable this feature.

No Tcp Rfc1323

Specifies that you can configure the Junos OS to disable RFC 1323 TCP extensions.

Select No Tcp Rfc1323 to enable this feature.

No Tcp Rfc1323 Paws

Specifies that you can configure the Junos OS to disable the RFC 1323 Protection Against Wrapped Sequence (PAWS) number extension.

Select No Tcp Rfc1323 Paws to enable this feature.

None / ipv6-reject-zero-hop-limit / no-ipv6-reject-zero-hop-limit

Specifies that you can enable and disable rejection of incoming IPv6 packets that have a zero hop-limit value in their header.

Select an option.

  • ipv6-reject-zero-hop-limit-Rejection of incoming IPv6 packets that have a zero hop-limit value is enabled.
  • no-ipv6-reject-zero-hop-limit-Rejection of incoming IPv6 packets that have a zero hop-limit value is disabled.
  • None- Rejection of incoming IPv6 packets that have a zero hop-limit value is neither enabled nor disabled.

IPv6 Duplicate Addr Detection Transmits

Specifies the number of attempts for IPv6 duplicate address detection that can be controlled.

Set the number of attempts. Range: 0 - 4,294,967,295. Default value is 3.

None / ipv6-path-mtu-discovery / no-ipv6-path-mtu-discovery

Specifies that you can configure path MTU discovery for IPv6 packets.

Select an option.

  • ipv6-path-mtu-discovery-IPv6 path MTU discovery is enabled.
  • no-ipv6-path-mtu-discovery-IPv6 path MTU discovery is disabled.
  • None-IPv6 path MTU discovery is neither enabled nor disabled.

IPv6 Path Mtu Discovery Timeout

Specifies the IPv6 path MTU discovery timeout.

Set the IPv6 path MTU discovery timeout. Range: 0 - 4,294,967,295. Default value is 10.

No Tcp Reset

Specifies not to send the reset RST TCP packet for packets sent to non-listening ports.

Select an option from the list.

Internet Options > Icmpv4 Rate Limit / Icmpv6 Rate Limit

Comment

Supplies a descriptive comment for the ICMPv4/ICMPv6 rate limit.

(Optional) Enter a comment.

Packet Rate

Specifies the ICMP rate-limiting packets earned per second.

Set the packet rate value. Range: 0 - 4,294,967,295. Default value is 1,000.

Bucket Size

Specifies the maximum bucket size for the ICMP rate limit.

Set the bucket size value. Range: 0 - 4,294,967,295. Default value is 5.

Internet Options > Source Port

Comment

Supplies a descriptive comment for the source port.

(Optional) Enter a comment.

Upper Limit

Specifies the upper limit of the source port selection range.

Set the upper limit value. Range: 5,000 - 65,535. Default value is none.

Related Documentation