Configuring Default Deny-All and Reject Rules
By default, security devices running Junos OS deny traffic unless rules are explicitly created to allow it using the following command:
[edit] user@host#set security policies default-policy deny-all
You can configure your security devices running Junos OS to enforce the following default reject rules with logging on all network traffic:
Invalid fragments
Fragmented IP packets that cannot be reassembled completely
Where the source address is equal to the address of the network interface
Where the source address does not belong to the networks associated with the network interface
Where the source address is defined as being on a broadcast network
Where the source address is defined as being on a multicast network
Where the source address is defined as being a loopback address
Where the source address is a multicast packet
Where the source or destination address is a link-local address
Where the source or destination address is defined as being an address “reserved for future use” as specified in RFC 5735 for IPv4
Where the source or destination address is defined as an “unspecified address” or an address “reserved for future definition and use” as specified in RFC 3513 for IPv6
With the IP option Loose Source Routing, Strict Source Routing, or Record Route is specified