[j-nsp] ipv6 firewall filters
Pekka Savola
pekkas at netcore.fi
Mon Dec 30 11:36:29 EST 2002
On Mon, 30 Dec 2002, Harshit Kumar wrote:
> I think this is the closest you can get .
> ..unless someone wants to differ here ....
>
> family inet6 {
> filter test {
> term 1 {
> from {
> next-header tcp;
> }
> then accept;
> }
> }
> }
FWIW, IMO, that's completely unacceptable from the packet filtering
point-of-view. Checking for TCP flags is a must; it's no different
compared to IPv4.
> -----Original Message-----
> From: ProServe - Peter Batenburg [mailto:peter@proserve.nl]
> Sent: Sunday, December 29, 2002 6:44 AM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] ipv6 firewall filters
>
>
> Hi,
>
> I'm trying to replicate my ipv4 filter to a ipv6 filter. Hopefully
> somone could help me with this part:
>
> IPv4:
> term 0 {
> from {
> protocol tcp;
> tcp-established;
> }
> then accept;
> }
>
> Somehow, tcp-established isn't available in IPv6 filters:
> # set firewall family inet6 filter router-prot-ipv6 term 1 from
> tcp-established
>
> ^
> syntax error.
>
> I know that protocol tcp is next-header tcp under IPv6.
>
>
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the juniper-nsp
mailing list