Thanks Cristian,
Not specifing source should work since this rule is supposed to be wider.
I think my question is EX4650 specific. Do you use the EX4650 platform ?
Thanks
Le 21/03/2023 à 11:38, Cristian Cardoso a écrit :
Hi
Here I use "from prefix-list", from what I understand from Juniper, when
"from destination-prefix-list" is inserted it is as if it were an IP on
the internal interface of the network and not an IP source IP filter and
the "from prefix-list" is more like source address.
set firewall family inet filter PROTECT_RE term acesso-ospf from
prefix-list ACCESS-v4-OSPF
set firewall family inet filter PROTECT_RE term acesso-ospf from
protocol ospf
set firewall family inet filter PROTECT_RE term acesso-ospf then accept
Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp
<[email protected] <mailto:[email protected]>> escreveu:
Hi,
I'm currently migrating EX4500 to EX4650.
Our loopback filter taken from EX4500 to EX4650 doesn't behave as
expected.
Our lo0 filter looks like:
set interfaces lo0 unit 0 family inet filter input filter-management
set firewall family inet filter filter-management term ALLOW_SSH from
source-prefix-list ssh-admin
set firewall family inet filter filter-management term ALLOW_SSH from
protocol tcp
set firewall family inet filter filter-management term ALLOW_SSH from
destination-port ssh
set firewall family inet filter filter-management term ALLOW_SSH then
count filter-management_ALLOW_SSH
set firewall family inet filter filter-management term ALLOW_SSH
then accept
set firewall family inet filter filter-management term DROP_SSH from
source-address 0.0.0.0/0 <http://0.0.0.0/0>
set firewall family inet filter filter-management term DROP_SSH from
protocol tcp
set firewall family inet filter filter-management term DROP_SSH from
destination-port ssh
set firewall family inet filter filter-management term DROP_SSH then
count filter-management_DROP_SSH
set firewall family inet filter filter-management term DROP_SSH then
discard
set firewall family inet filter filter-management term ALLOW_NTP from
source-prefix-list router-self
set firewall family inet filter filter-management term ALLOW_NTP from
source-prefix-list ntp-servers
set firewall family inet filter filter-management term ALLOW_NTP from
protocol udp
set firewall family inet filter filter-management term ALLOW_NTP from
source-port ntp
set firewall family inet filter filter-management term ALLOW_NTP then
count filter-management_ALLOW_NTP
set firewall family inet filter filter-management term ALLOW_NTP
then accept
...(bunch of allow terms)
set firewall family inet filter filter-management term accept-ospf from
protocol ospf
set firewall family inet filter filter-management term accept-ospf then
count filter-management-accept-ospf
set firewall family inet filter filter-management term accept-ospf
then log
set firewall family inet filter filter-management term accept-ospf then
syslog
set firewall family inet filter filter-management term accept-ospf then
accept
set firewall family inet filter filter-management term accept-ospf-igmp
from destination-prefix-list ospf-routers
set firewall family inet filter filter-management term accept-ospf-igmp
from protocol igmp
set firewall family inet filter filter-management term accept-ospf-igmp
then count filter-management-accept-ospf-igmp
set firewall family inet filter filter-management term accept-ospf-igmp
then accept
If my filter stops here (implicit discard), ospf sessions previously
established eventually fail.
If the last term is a default accept, OSPF is working fine.
How do you guys do to accept OSPF and deny the rest on this platform ?
Thanks
_______________________________________________
juniper-nsp mailing list [email protected]
<mailto:[email protected]>
https://puck.nether.net/mailman/listinfo/juniper-nsp
<https://puck.nether.net/mailman/listinfo/juniper-nsp>
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
