[j-nsp] IPv6 firewall

kura@iij.ad.jp kura@iij.ad.jp
Wed, 2 Oct 2002 02:11:18 +0900 (JST)


From: jkei@zak.att.ne.jp
Date: Tue Oct 01 2002 14:30:15 JST
>
> You need to allow routing protocols to go through too when 
> applying FW to lo0. 

I have already done it. No routing protocols are restricted by
my filter. All packets, except some of telnet, should be accepted
in 'term 2'. And routers in my test network correctly exchange
route information each other with RIPng.

Best regards,
-- 
Tomohiko Kurahashi <kura@iij.ad.jp>
Network Engineering Division, Technology Department
Internet Initiative Japan Inc.
  

> On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
> kura@iij.ad.jp wrote:
> 
> kura> Hi everyone,
> kura> 
> kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
> kura> I configured a filter as below and applied it to lo0.0
> kura> to restrict clients accessible with telnet to the
> kura> Juniper box.
> kura> 
> kura> firewall {
> kura>     family inet6 {
> kura>         filter restrict-clients {
> kura>             term 1 {
> kura>                 from {
> kura>                     source-address {
> kura>                         ::/0;
> kura>                         3ffe:507:200::/56 except;  # example
> kura>                     }
> kura>                     destination-port telnet;
> kura>                 }
> kura>                 then {
> kura>                     log;
> kura>                     reject;
> kura>                 }
> kura>             }
> kura>             term 2 {
> kura>                 then {
> kura>                     log;
> kura>                     accept;
> kura>                 }
> kura>             }
> kura>         }
> kura>     }
> kura> }
> kura> 
> kura> This filter worked as I expected. But after I applied it
> kura> the box became not to forward all packets through it.
> kura> It forwarded packets correctly when forwarding with 'direct'
> kura> routes, but it didn't when forwading with non-'direct'
> kura> routes, for example 'RIPng' routes.
> kura> 
> kura> According to the output of 'show route' the box had learned
> kura> routes to destinations. And no 'Reject' entries with regard
> kura> to packet un-forwarding appeard in the output of 'show
> kura> firewall log'.
> kura> 
> kura> Is my configuration, or my understanding about the function
> kura> wrong? Would you please give me any suggestion if you have?
> kura> 
> kura> Best regards,
> kura> -- 
> kura> Tomohiko Kurahashi <kura@iij.ad.jp>
> kura> Network Engineering Division, Technology Department
> kura> Internet Initiative Japan Inc.