[j-nsp] broken ACL?

Wayne E. Bouchard web at typo.org
Tue Dec 30 14:08:41 EST 2003


So I'm wondering if anyone is aware of ACL problems in 5.6R2.4

I have a filter containing the following:

term accept-icmp {
    from {
        icmp-type [ unreachable timestamp-reply echo-reply info-reply mask-reply time-exceeded ];
    }
    then accept;
}
term reject-all {
    then {
        count reject-all;
        reject;
    }
}

And yet when I ping, I get:

ping 10.12.20.15
PING 10.12.20.15 (10.12.20.15): 56 data bytes
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 7316   0 0000  3f  01 5324 10.12.35.6  10.12.20.15 

64 bytes from 10.12.20.15: icmp_seq=1 ttl=62 time=0.686 ms
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 ee1d   0 0000  3f  01 d81c 10.12.35.6  10.12.20.15 

36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 db01   0 0000  3f  01 eb38 10.12.35.6  10.12.20.15 

64 bytes from 10.12.20.15: icmp_seq=4 ttl=62 time=0.554 ms
64 bytes from 10.12.20.15: icmp_seq=5 ttl=62 time=0.933 ms
64 bytes from 10.12.20.15: icmp_seq=6 ttl=62 time=0.603 ms
64 bytes from 10.12.20.15: icmp_seq=7 ttl=62 time=0.673 ms
36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 162f   0 0000  3f  01 b00b 10.12.35.6  10.12.20.15 

36 bytes from ge-0-1-2-25.corenet (10.12.35.4): Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 2355   0 0000  3f  01 a2e5 10.12.35.6  10.12.20.15 


Some packets get rejected, some get through? What the heck? Am I
missing something terribly obvious?

-Wayne


More information about the juniper-nsp mailing list