Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

internet-options

Syntax

The following section lists all possible options for the internet-options command. The options that appear may vary depending on the platform and software release.

Hierarchy Level

Description

Configure system IP options to protect against certain types of DoS attacks.

Junos OS Evolved supports only the ipv6-duplicate-addr-detection-transmits option.

Options

gre-path-mtu-discovery

Configure path MTU discovery for outgoing GRE tunnel connections. By default, path MTU discovery is enabled.

  • no-gre-path-mtu-discovery—Path MTU discovery is disabled.

icmpv4-rate-limit

Configure rate-limiting parameters for ICMPv4 messages sent.

  • Values:

    • bucket-size seconds—Number of seconds in the rate-limiting bucket. Range: 0 through 4294967295 seconds. Default: 5.

    • packet-rate pps—Rate-limiting packets earned per second. Range: 0 through 4294967295 pps. Default: 1000.

icmpv6-rate-limit

Configure rate-limiting parameters for ICMPv6 messages sent.

  • Values:

    • bucket-size seconds—Number of seconds in the rate-limiting bucket. Range: 0 through 4294967295 seconds. Default: 5.

    • packet-rate pps—Rate-limiting packets earned per second. Range: 0 through 4294967295 pps. Default: 1000.

ipip-path-mtu-discovery

Configure path MTU discovery for outgoing IP-IP tunnel connections. By default, path MTU discovery is enabled.

  • no-ipip-path-mtu-discovery—Path MTU discovery is disabled.

ipv6-duplicate-addr-detection-transmits

Control the number of attempts for IPv6 duplicate address detection.

  • Range: 0 to 20

  • Default: 3

ipv6-path-mtu-discovery

Configure path MTU discovery for IPv6 packets. By default, IPv6 path MTU discovery is enabled.

  • no-ipv6-path-mtu-discovery—IPv6 path MTU discovery is disabled.

ipv6-path-mtu-discovery-timeout

Set the IPv6 path MTU discovery time-out interval.

  • Values: minutes—IPv6 path MTU discovery timeout.

  • Default: 10 minutes.

ipv6-reject-zero-hop-limit

Reject incoming IPv6 packets with a zero hop-limit value in their header. This is enabled by default.

  • no-ipv6-reject-zero-hop-limit—Allow incoming IPv6 packets with a zero hop-limit value in their header.

no-tcp-reset

Do not send an RST TCP packet (a packet with the reset flag set) in response to a TCP packet received on a non-listening port.

By default, when a TCP packet is received on a non-listening port, a device sends a TCP packet with the RST flag set and drops the connection. This might lead to a security risk. Configuring this statement prevents the sending of RST TCP packets to non-listening ports.

You must configure this statement with one of two options:

  • drop-all-tcp—When a TCP segment is received on a closed port, the device drops the packet and does not send back a RST segment. This helps to protect against stealth port scans.

  • drop-tcp-with-syn-only—When a TCP packet with a SYN bit is received on a non-listening port, the device drops the packet and does not send back a RST segment, which makes the device appear as a null route. For all other TCP packets, the device sends back a RST segment and does not drop the packet.

no-tcp-rfc1323

Configure the Junos OS to disable RFC 1323 TCP extensions.

no-tcp-rfc1323-paws

Configure the Junos OS to disable the RFC 1323 Protection Against Wrapped Sequence (PAWS) number extension.

path-mtu-discovery

Configure path MTU discovery for outgoing Transmission Control Protocol (TCP) connections. By default, path MTU discovery is enabled.

  • no-path-mtu-discovery—Path MTU discovery is disabled.

source-port

Configure the range of port addresses.

  • Values:

    • upper-limit upper-limit—(Optional) The range of port addresses can be a value from 5000 through 65,355.

source-quench

Configure how the Junos OS handles Internet Control Message Protocol (ICMP) source quench messages. By default, the Junos OS reacts to ICMP source quench messages.

  • no-source-quench—Do not react to incoming ICMP source quench messages.

tcp-drop-synfin-set

Configure the device to drop packets that have both the SYN and FIN bits set.

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced before Junos OS Release 7.4.

no-tcp-reset introduced in Junos OS Release 9.4.

no-tcp-reset introduced in Junos OS Release 11.1 for SRX Series and vSRX Virtual Firewall devices.

icmpv4-rate-limit and source-port introduced in Junos OS Release 11.1 for the QFX Series and Junos OS Release 14.1X53-D20 for the OCX Series.