[j-nsp] broken ACL?
Wayne E. Bouchard
web at typo.org
Tue Dec 30 14:08:41 EST 2003
So I'm wondering if anyone is aware of ACL problems in 5.6R2.4
I have a filter containing the following:
term accept-icmp {
from {
icmp-type [ unreachable timestamp-reply echo-reply info-reply mask-reply time-exceeded ];
}
then accept;
}
term reject-all {
then {
count reject-all;
reject;
}
}
And yet when I ping, I get:
ping 10.12.20.15
PING 10.12.20.15 (10.12.20.15): 56 data bytes
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 7316 0 0000 3f 01 5324 10.12.35.6 10.12.20.15
64 bytes from 10.12.20.15: icmp_seq=1 ttl=62 time=0.686 ms
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 ee1d 0 0000 3f 01 d81c 10.12.35.6 10.12.20.15
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 db01 0 0000 3f 01 eb38 10.12.35.6 10.12.20.15
64 bytes from 10.12.20.15: icmp_seq=4 ttl=62 time=0.554 ms
64 bytes from 10.12.20.15: icmp_seq=5 ttl=62 time=0.933 ms
64 bytes from 10.12.20.15: icmp_seq=6 ttl=62 time=0.603 ms
64 bytes from 10.12.20.15: icmp_seq=7 ttl=62 time=0.673 ms
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 162f 0 0000 3f 01 b00b 10.12.35.6 10.12.20.15
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 2355 0 0000 3f 01 a2e5 10.12.35.6 10.12.20.15
Some packets get rejected, some get through? What the heck? Am I
missing something terribly obvious?
-Wayne
More information about the juniper-nsp
mailing list