RE: [j-nsp] Firewall source-port

From: Stephen Gill (gillsr@yahoo.com)
Date: Thu Mar 28 2002 - 18:20:12 EST


Firewall filters are not stateful, therefore the direction you apply
them on the interface matters. For outbound filters, you would allow
destination-port 23. For inbound applied filters you would need
source-port of 23. For eitherbound you would need a combination of
both.

See the router-protect filter on page 15:
http://www.qorbit.net/documents/junos-template.pdf

It gets applied 'inbound' on lo0, page 7.

-- steve

-----Original Message-----
From: J K [mailto:jdilbert@hotmail.com]
Sent: Thursday, March 28, 2002 1:48 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Firewall source-port

If we want to allow only the telnet out from a Juniper router,
do we configure

1)"from source-port 23 then accept" or
2)"from destination-port 23 then accept"?

Let's ignore tcp-established and "from protocol" and other
matching conditions here. In this case the router is acting
as a telnet client and should choose a port greater than
1023 (or do they not) and thus choice 2 seems right to me
but most online docs say it's 1. Correct me if I am wrong.
Thanks.

Regards,
confused

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:40 EDT