Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Internet Options (NSM Procedure)

    You can configure the system Internet Protocol (IP) options to protect the system against certain types of Denial of Service (DoS) attacks.

    To configure internet options:

    1. In the NSM navigation tree, select Device Manager > Devices.
    2. Click the Device Tree tab, and then double-click the device for which you want to configure the internet options.
    3. Click the Configuration tab. In the configuration tree, select System > Internet Options.
    4. Add or modify the settings as specified in Table 1.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.
      • Apply—Applies the internet options configuration settings.

    Table 1: Internet Options Configuration Details

    Option

    Function

    Your Action

    Comment

    Supplies a descriptive comment for the internet option.

    (Optional) Enter a comment.

    None / path-mtu-discovery / no-path-mtu-discovery

    Specifies that you can determine the Maximum Transmission Unit (MTU) size on the network path between two IP hosts.

    Select an option.

    • path-mtu-discovery-Path MTU discovery is enabled.
    • no-path-mtu-discovery-Path MTU discovery is disabled.
    • None-Path MTU discovery is neither enabled nor disabled.

    None / gre-path-mtu-discovery / no-gre-path-mtu-discovery

    Specifies that you can configure a path MTU discovery for outgoing Generic Routing Encapsulation (GRE) tunnel connections.

    Select an option.

    • gre-path-mtu-discovery-GRE path MTU discovery is enabled.
    • no-gre-path-mtu-discovery-GRE path MTU discovery is disabled.
    • None-GRE path MTU discovery is neither enabled nor disabled.

    None / ipip-path-mtu-discovery / no-ipip-path-mtu-discovery

    Specifies that you can configure path MTU discovery for outgoing IP-IP tunnel connections.

    Select an option.

    • ipip-path-mtu-discovery-IP-IP path MTU discovery is enabled.
    • no-ipip-path-mtu-discovery-IP-IP path MTU discovery is disabled.
    • None-IP-IP path MTU discovery is neither enabled nor disabled.

    None / source-quench / no-source-quench

    Specifies that you can configure how the Junos OS would handle the Internet Control Message Protocol (ICMP) source quench messages.

    Select an option:

    • source-quench-The Junos OS ignores the ICMP source quench messages.
    • no-source-quench-The Junos OS does not ignore the ICMP source quench messages.
    • None-ICMP source quench message is neither enabled nor disabled.

    Tcp Drop Synfin Set

    Specifies that the TCP packets that have both SYN and FIN flags can be dropped.

    Select Tcp Drop Synfin Set to enable this feature.

    No Tcp Rfc1323

    Specifies that you can configure the Junos OS to disable RFC 1323 TCP extensions.

    Select No Tcp Rfc1323 to enable this feature.

    No Tcp Rfc1323 Paws

    Specifies that you can configure the Junos OS to disable the RFC 1323 Protection Against Wrapped Sequence (PAWS) number extension.

    Select No Tcp Rfc1323 Paws to enable this feature.

    None / ipv6-reject-zero-hop-limit / no-ipv6-reject-zero-hop-limit

    Specifies that you can enable and disable rejection of incoming IPv6 packets that have a zero hop-limit value in their header.

    Select an option.

    • ipv6-reject-zero-hop-limit-Rejection of incoming IPv6 packets that have a zero hop-limit value is enabled.
    • no-ipv6-reject-zero-hop-limit-Rejection of incoming IPv6 packets that have a zero hop-limit value is disabled.
    • None- Rejection of incoming IPv6 packets that have a zero hop-limit value is neither enabled nor disabled.

    IPv6 Duplicate Addr Detection Transmits

    Specifies the number of attempts for IPv6 duplicate address detection that can be controlled.

    Set the number of attempts. Range: 0 - 4,294,967,295. Default value is 3.

    None / ipv6-path-mtu-discovery / no-ipv6-path-mtu-discovery

    Specifies that you can configure path MTU discovery for IPv6 packets.

    Select an option.

    • ipv6-path-mtu-discovery-IPv6 path MTU discovery is enabled.
    • no-ipv6-path-mtu-discovery-IPv6 path MTU discovery is disabled.
    • None-IPv6 path MTU discovery is neither enabled nor disabled.

    IPv6 Path Mtu Discovery Timeout

    Specifies the IPv6 path MTU discovery timeout.

    Set the IPv6 path MTU discovery timeout. Range: 0 - 4,294,967,295. Default value is 10.

    No Tcp Reset

    Specifies not to send the reset RST TCP packet for packets sent to non-listening ports.

    Select an option from the list.

    Internet Options > Icmpv4 Rate Limit / Icmpv6 Rate Limit

    Comment

    Supplies a descriptive comment for the ICMPv4/ICMPv6 rate limit.

    (Optional) Enter a comment.

    Packet Rate

    Specifies the ICMP rate-limiting packets earned per second.

    Set the packet rate value. Range: 0 - 4,294,967,295. Default value is 1,000.

    Bucket Size

    Specifies the maximum bucket size for the ICMP rate limit.

    Set the bucket size value. Range: 0 - 4,294,967,295. Default value is 5.

    Internet Options > Source Port

    Comment

    Supplies a descriptive comment for the source port.

    (Optional) Enter a comment.

    Upper Limit

    Specifies the upper limit of the source port selection range.

    Set the upper limit value. Range: 5,000 - 65,535. Default value is none.

    Published: 2013-01-06