[j-nsp] IPv6 firewall

Pekka Savola pekkas@netcore.fi
Tue, 1 Oct 2002 11:18:40 +0300 (EEST) 

On Tue, 1 Oct 2002, Joseph wrote:
> You need to allow routing protocols to go through too when 
> applying FW to lo0. 

Routing protocols rarely use port 'telnet', so IMO there appears to be a 
problem there..

> 
> On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
> kura@iij.ad.jp wrote:
> 
> kura> Hi everyone,
> kura> 
> kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
> kura> I configured a filter as below and applied it to lo0.0
> kura> to restrict clients accessible with telnet to the
> kura> Juniper box.
> kura> 
> kura> firewall {
> kura>     family inet6 {
> kura>         filter restrict-clients {
> kura>             term 1 {
> kura>                 from {
> kura>                     source-address {
> kura>                         ::/0;
> kura>                         3ffe:507:200::/56 except;  # example
> kura>                     }
> kura>                     destination-port telnet;
> kura>                 }
> kura>                 then {
> kura>                     log;
> kura>                     reject;
> kura>                 }
> kura>             }
> kura>             term 2 {
> kura>                 then {
> kura>                     log;
> kura>                     accept;
> kura>                 }
> kura>             }
> kura>         }
> kura>     }
> kura> }
> kura> 
> kura> This filter worked as I expected. But after I applied it
> kura> the box became not to forward all packets through it.
> kura> It forwarded packets correctly when forwarding with 'direct'
> kura> routes, but it didn't when forwading with non-'direct'
> kura> routes, for example 'RIPng' routes.
> kura> 
> kura> According to the output of 'show route' the box had learned
> kura> routes to destinations. And no 'Reject' entries with regard
> kura> to packet un-forwarding appeard in the output of 'show
> kura> firewall log'.
> kura> 
> kura> Is my configuration, or my understanding about the function
> kura> wrong? Would you please give me any suggestion if you have?
> kura> 
> kura> Best regards,
> kura> -- 
> kura> Tomohiko Kurahashi <kura@iij.ad.jp>
> kura> Network Engineering Division, Technology Department
> kura> Internet Initiative Japan Inc.
> kura> _______________________________________________
> kura> juniper-nsp mailing list juniper-nsp@puck.nether.net
> kura> http://puck.nether.net/mailman/listinfo/juniper-nsp
> kura> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords