No, I use MX's and QFX''s and EX these days. Em ter., 21 de mar. de 2023 às 08:05, Laurent CARON < [email protected]> escreveu:
> Thanks Cristian, > > Not specifing source should work since this rule is supposed to be wider. > > I think my question is EX4650 specific. Do you use the EX4650 platform ? > > Thanks > > Le 21/03/2023 à 11:38, Cristian Cardoso a écrit : > > Hi > > > > Here I use "from prefix-list", from what I understand from Juniper, when > > "from destination-prefix-list" is inserted it is as if it were an IP on > > the internal interface of the network and not an IP source IP filter and > > the "from prefix-list" is more like source address. > > > > set firewall family inet filter PROTECT_RE term acesso-ospf from > > prefix-list ACCESS-v4-OSPF > > set firewall family inet filter PROTECT_RE term acesso-ospf from > > protocol ospf > > set firewall family inet filter PROTECT_RE term acesso-ospf then accept > > > > Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp > > <[email protected] <mailto:[email protected]>> > escreveu: > > > > Hi, > > > > I'm currently migrating EX4500 to EX4650. > > > > Our loopback filter taken from EX4500 to EX4650 doesn't behave as > > expected. > > > > Our lo0 filter looks like: > > set interfaces lo0 unit 0 family inet filter input filter-management > > set firewall family inet filter filter-management term ALLOW_SSH from > > source-prefix-list ssh-admin > > set firewall family inet filter filter-management term ALLOW_SSH from > > protocol tcp > > set firewall family inet filter filter-management term ALLOW_SSH from > > destination-port ssh > > set firewall family inet filter filter-management term ALLOW_SSH then > > count filter-management_ALLOW_SSH > > set firewall family inet filter filter-management term ALLOW_SSH > > then accept > > set firewall family inet filter filter-management term DROP_SSH from > > source-address 0.0.0.0/0 <http://0.0.0.0/0> > > set firewall family inet filter filter-management term DROP_SSH from > > protocol tcp > > set firewall family inet filter filter-management term DROP_SSH from > > destination-port ssh > > set firewall family inet filter filter-management term DROP_SSH then > > count filter-management_DROP_SSH > > set firewall family inet filter filter-management term DROP_SSH then > > discard > > set firewall family inet filter filter-management term ALLOW_NTP from > > source-prefix-list router-self > > set firewall family inet filter filter-management term ALLOW_NTP from > > source-prefix-list ntp-servers > > set firewall family inet filter filter-management term ALLOW_NTP from > > protocol udp > > set firewall family inet filter filter-management term ALLOW_NTP from > > source-port ntp > > set firewall family inet filter filter-management term ALLOW_NTP then > > count filter-management_ALLOW_NTP > > set firewall family inet filter filter-management term ALLOW_NTP > > then accept > > ...(bunch of allow terms) > > set firewall family inet filter filter-management term accept-ospf > from > > protocol ospf > > set firewall family inet filter filter-management term accept-ospf > then > > count filter-management-accept-ospf > > set firewall family inet filter filter-management term accept-ospf > > then log > > set firewall family inet filter filter-management term accept-ospf > then > > syslog > > set firewall family inet filter filter-management term accept-ospf > then > > accept > > set firewall family inet filter filter-management term > accept-ospf-igmp > > from destination-prefix-list ospf-routers > > set firewall family inet filter filter-management term > accept-ospf-igmp > > from protocol igmp > > set firewall family inet filter filter-management term > accept-ospf-igmp > > then count filter-management-accept-ospf-igmp > > set firewall family inet filter filter-management term > accept-ospf-igmp > > then accept > > > > > > If my filter stops here (implicit discard), ospf sessions previously > > established eventually fail. > > > > If the last term is a default accept, OSPF is working fine. > > > > How do you guys do to accept OSPF and deny the rest on this platform > ? > > > > Thanks > > _______________________________________________ > > juniper-nsp mailing list [email protected] > > <mailto:[email protected]> > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > <https://puck.nether.net/mailman/listinfo/juniper-nsp> > > > > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
