On Wed, 11 Jul 2018 15:06:43 -0400,
Saku Ytti <s...@ytti.fi> wrote:
> 
> I'd say the filters are all kind of broken.
> 
> Just few issues
> 
> a) You can't just limit UDP to 2Mbps on every edge port

it's really a limit of 2mbps on each PFE, so ... in some cases that's
2mbps on a port, in some cases not. This is a 'problem' because of the
architecture of the MX though, right? not the filter itself... well... :)

> b) LO filter matches on 'port'

on 'port'.. meaning I can't do:
  destination-port ssh
  source-port 1024-65535

something like that? or that you wanted to match on:
  port xe-1/0/1.0
 ?

> c) LO filter has wide permit instead of accept 1,2,3,4 drop rest

how do you mean? doesn't it just permit/deny what you ask in the filter?

> d) hardcore doesnt permit traceroute

traceroute is permitted TO the box with the right config, and THROUGH
the box on the MX without any holes in the loopback filter.

On the EX platform though :( sadness reigns.

> 
> Just very short review, to me just these errors are monumental
> misunderstanding of security and goals of filters. To me starting from
> nothing is superior than starting from those.
> 
> On Wed, 11 Jul 2018 at 21:23, Chris Boyd <cb...@gizmopartners.com> wrote:
> >
> >
> >
> > > On Jul 11, 2018, at 1:17 PM, Drew Weaver <drew.wea...@thenap.com> wrote:
> > >
> > > Is there a list of best practices or 'things to think about' when 
> > > constructing a firewall filter for a loopback on an MX series router 
> > > running version 15 of Junos?
> > >
> > > I'm slowly piecing it together by just 'seeing what is broken next' and I 
> > > have found some issue specific examples on Juniper.net thus far that tend 
> > > to help with some of the issues but if anyone has ever seen a decent 
> > > comprehensive guide that would be tremendously useful.
> > >
> > > If anyone has seen anything like this let me know, if not no worries will 
> > > just keep fixing the things one by one =)
> >
> > Team Cymru has a “JunOS Secure Template” that I found a good place to 
> > start. It quotes version 4 though.  I think that means it’s well tested?
> >
> > http://www.cymru.com/gillsr/documents/junos-template.pdf
> >
> > ―Chris
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> 
> -- 
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to