Junos OS

How stop my internet routers returning destionation net unreachables responses

Running a Set of J6350 routers with 10.x code.

I have firewalls rules that allow ping, but not sure I can stop destionation net unreachables with ping one. ??

I might not understand your question correct.  But, if you use 'discard' instead of 'reject' as your firewall rule action, it will prevent the router from sending the ICMP destination unreachable messages, when the packets are dropped by the filter.


http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/policy-configuring-actions-in-firewall-filter-terms.html

Action               Description

discard:             Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.

reject <message-type>: Discard a packet, sending an ICMPv4 or an ICMPv6 destination unreachable message. Rejected packets can be logged or sampled if you configure either the sample or the syslog action modifier. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a Transmission Control Protocol (TCP) reset is returned if the packet is a TCP packet. Otherwise, the default code of administratively-prohibited, which has a value of 13, is returned. Supported for family inet and inet6 only.

Changing the rule from reject to discard did the trick..

Thanks Bowling !!!

Hello,

Just want to get some advices about how firewall filter looks like if I want to NOT sending ICMP unreachable only when destination is unreachable. Beside that condition, ICMP should flow normally. Below config is what I tried and it does not working.

firewall {
    family inet {
        filter test {
            term 1 {
                from {
                    protocol icmp;
                    icmp-type unreachable;
                }
                then {
                    count unreach;
                    log;
                    discard;
                }
            }
            term 1000 {
                then accept;
            }
        }
    }
}

Thanks in advance,

Seyma, If I read you correctly you just want icmp to function as designed so you would simply permit it in the firewall filter.  And perhaps add a rate limit to prevent it from taking too much on the device.