Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Default Deny-All and Reject Rules

By default, security devices running Junos OS deny traffic unless rules are explicitly created to allow it using the following command:

You can configure your security devices running Junos OS to enforce the following default reject rules with logging on all network traffic:

  • Invalid fragments

  • Fragmented IP packets that cannot be reassembled completely

  • Where the source address is equal to the address of the network interface

  • Where the source address does not belong to the networks associated with the network interface

  • Where the source address is defined as being on a broadcast network

  • Where the source address is defined as being on a multicast network

  • Where the source address is defined as being a loopback address

  • Where the source address is a multicast packet

  • Where the source or destination address is a link-local address

  • Where the source or destination address is defined as being an address “reserved for future use” as specified in RFC 5735 for IPv4

  • Where the source or destination address is defined as an “unspecified address” or an address “reserved for future definition and use” as specified in RFC 3513 for IPv6

  • With the IP option Loose Source Routing, Strict Source Routing, or Record Route is specified