[j-nsp] IPv6 firewall
Joseph
jkei@zak.att.ne.jp
Tue, 01 Oct 2002 16:55:02 +0900
You need to allow routing protocols to go through too when
applying FW to lo0.
On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
kura@iij.ad.jp wrote:
kura> Hi everyone,
kura>
kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
kura> I configured a filter as below and applied it to lo0.0
kura> to restrict clients accessible with telnet to the
kura> Juniper box.
kura>
kura> firewall {
kura> family inet6 {
kura> filter restrict-clients {
kura> term 1 {
kura> from {
kura> source-address {
kura> ::/0;
kura> 3ffe:507:200::/56 except; # example
kura> }
kura> destination-port telnet;
kura> }
kura> then {
kura> log;
kura> reject;
kura> }
kura> }
kura> term 2 {
kura> then {
kura> log;
kura> accept;
kura> }
kura> }
kura> }
kura> }
kura> }
kura>
kura> This filter worked as I expected. But after I applied it
kura> the box became not to forward all packets through it.
kura> It forwarded packets correctly when forwarding with 'direct'
kura> routes, but it didn't when forwading with non-'direct'
kura> routes, for example 'RIPng' routes.
kura>
kura> According to the output of 'show route' the box had learned
kura> routes to destinations. And no 'Reject' entries with regard
kura> to packet un-forwarding appeard in the output of 'show
kura> firewall log'.
kura>
kura> Is my configuration, or my understanding about the function
kura> wrong? Would you please give me any suggestion if you have?
kura>
kura> Best regards,
kura> --
kura> Tomohiko Kurahashi <kura@iij.ad.jp>
kura> Network Engineering Division, Technology Department
kura> Internet Initiative Japan Inc.
kura> _______________________________________________
kura> juniper-nsp mailing list juniper-nsp@puck.nether.net
kura> http://puck.nether.net/mailman/listinfo/juniper-nsp
kura>