Everything looks good other than the last "then" statement needs to
have an "accept" added. You might want to add a "count *NAME*" to
track the filter.
term check-tcp-initial {
from {
protocol tcp;
tcp-initial;
}
then {
count tcp-initial-log;
policer TCP-DoS-Check;
accept;
}
-Julian
""tuffgong"" wrote in message
news:200109260105.VAA23064@xxxxxxxxxxxxxxxxx
: Out of curiosity and practical interest. I was wondering if someone
had a
: good sample for using policers to protect against DoS attacks? I am
sure
: that I am missing something, but I was wondering if it would go a
little
: something like this:
:
: [edit firewall]
: filter test-DoS-policy {
: policer TCP-DoS-Check {
: if-exceeding {
: bandwidth-limit 200k;
: burst-size-limit 1500;
: }
: then {
: discard;
: }
: term check-tcp-initial {
: from {
: protocol tcp;
: tcp-initial;
: }
: then policer TCP-DoS-Check;
: }
:
: The numbers I chose for "if-exceeding" are arbitrary and that these
numbers
: would have to be determined on a case-by-case basis. I am curious
if the
: logic employed in these statements is correct. Any information
would be
: helpful.
:
: Regards
:
:
:
:
http://www.groupstudy.com/list/juniper.html
:
Message Posted at:
http://www.groupstudy.com/form/read.php?f=9&i=594&t=588
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/juniper.html
