Example: Blocking Packets with SYN and FIN Flags Set

This example shows how to create a screen to block packets with the SYN and FIN flags set.

Requirements

Before you begin, understand how TCP headers with SYN and FIN flags work. See Understanding TCP Headers with SYN and FIN Flags Set .

Overview

The TCP header with the SYN and FIN flags set cause different responses from a targeted device depending on the OS it is running. The syn-fin screen is enabled for the security zone.

In this example, you create a screen called screen-1 in a security zone to block packets with the SYN and FIN flags set.

Configuration

Step-by-Step Procedure

To block packets with both the SYN and FIN flags set:

  1. Configure the screen.
    [edit]user@host# set security screen ids-option screen-1 tcp syn-fin
  2. Enable the screen in the security zone.
    [edit ]user@host# set security zones security-zone zone-1 screen screen-1
  3. If you are done configuring the device, commit the configuration.
    [edit]user@host# commit

Verification

To verify the configuration is working properly, enter the show security command.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.