On Sun, Mar 12, 2000 at 08:38:54AM -0800, Randy Bush wrote:
> > Now I am working on setup a M40 as a broader router, at the up-stream
> > interface, I want to setup a firewall filter. Does anyone have experience
> > in setup a similiar thing ? I have configured same thing on CIsco product
> > but this is the first time to use Juniper router. I hope that you all can
> > share some experience to me.
>
> junipers have more sophisticated policy/filtering tools than ciscos, but
> they take a bit of understanding. hit the docs. but here's a sample
>
> /* Filter routes on accepted boundary to peers. */
> policy-statement peerout-boundary {
> term drop-bogons {
> from {
> /* filter >/24 */
> route-filter 0/0 upto /24 next policy;
> }
> then reject;
> }
> then reject;
> }
> /* Filter some bogon routes. */
> policy-statement bogon {
> term drop-bogons {
> from {
> /* Default */
> route-filter 0/0 exact reject;
> /* Prefix is 0, any mask. */
> route-filter 0/8 orlonger reject;
> /* 0/*
> May also want to reject ?/[0-6]
> */
> /* BUG BUG - 0/0 == everything - heas 000205
> route-filter 0/0 through 0.0.0.0/32 reject; */
btw, this bug was fixed.
> /* Loopback */
> route-filter 127/8 orlonger reject;
> /* Private */
> route-filter 10/8 orlonger reject;
> route-filter 172.16/12 orlonger reject;
> route-filter 192.168/16 orlonger reject;
> /* Link local */
> route-filter 169.254/16 orlonger reject;
> /* 1st and last B/C */
> route-filter 128.0/16 orlonger reject;
> route-filter 191.255/16 orlonger reject;
> route-filter 192.0.0/24 orlonger reject;
> route-filter 223.255.255/24 orlonger reject;
> /* Test */
> route-filter 192.0.2/24 orlonger reject;
> /* Multicast & higher
> */
> route-filter 224/3 orlonger reject;
> }
> then reject;
> }
> }
>
> randy
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:41 EDT