Example: Blocking Packets With FIN Flag Set and Without ACK Flag Set

This example shows how to create a screen to block packets with the FIN flag set but the ACK flag not set.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin, understand how TCP headers work. See Understanding TCP Headers With FIN Flag Set and Without ACK Flag Set.

Overview

The TCP segments with the FIN flag set also have the ACK flag set to acknowledge the previous packet received. Because a TCP header with the FIN flag set but the ACK flag not set is anomalous TCP behavior, there is no uniform response to this. When you enable the fin-no-ack screen option, Junos OS checks if the FIN flag is set but not the ACK flag in TCP headers. If it discovers a packet with such a header, it drops the packet.

In this example, you create a screen called screen-1 to block packets with the FIN flag set but the ACK flag not set.

Configuration

Step-by-Step Procedure

To block packets with the FIN flag set but the ACK flag not set:

1. Configure the screen.
   [edit ]user@host# set security screen ids-option screen-1 tcp fin-no-ack
2. If you are done configuring the device, commit the configuration.
   [edit]user@host# commit

Verification

To verify the configuration is working properly, enter the show security screen command.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices