Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Default Deny-All and Reject Rules

Security devices running Junos OS deny traffic by default unless rules are explicitly created to allow it. The default deny policy can also be explicitly configured using the following command:

The administrator can configure the security devices running Junos OS to enforce the following default reject rules with logging on all network traffic:

  • Invalid fragments

  • Fragmented IP packets that cannot be reassembled completely

  • Where the source address is equal to the address of the network interface

  • Where the source address does not belong to the networks associated with the network interface

  • Where the source address is defined as being on a broadcast network

  • Where the source address is defined as being on a multicast network

  • Where the source address is defined as being a loopback address

  • Where the source address is a multicast packet

  • Where the source or destination address is a link-local address

  • Where the source or destination address is defined as being an address “reserved for future use” as specified in RFC 5735 for IPv4

  • Where the source or destination address is defined as an “unspecified address” or an address “reserved for future definition and use” as specified in RFC 3513 for IPv6

  • With the IP option Loose Source Routing, Strict Source Routing, or Record Route is specified.