[j-nsp] Port list?
Eli Dart
dart at nersc.gov
Wed Oct 6 14:23:58 EDT 2004
In reply to "Eric Van Tol" <eric at atlantech.net> :
> This could be accomplished by using groups, correct?
That would work for applying the same list of ports in the same
direction in multiple terms.....that's useful, thanks!
Is there a way to finagle this so that the same list of ports could
be applied source-port in one term and destination-port in another?
The motivation for this to apply the reciprocal of inbound port
filters in the outbound direction, to cover for fragmented traffic or
other issues.
Thanks!
--eli
>
> groups {
> tcp-port-list {
> firewall {
> filter <*> {
> term <*> {
> from protocol tcp;
> destination-port [ 21 25 445 666 ];
> }
> }
> }
> }
> firewall {
> filter block-traffic {
> term block-tcp {
> apply-groups tcp-port-list;
> }
> then discard;
> }
> }
> }
>
> -evt
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eli Dart
> Sent: Wednesday, October 06, 2004 1:37 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Port list?
>
> Does anyone know of a way to define a list of ports in Juniper policy?
>
> For a border router, it would be nice to do something like the=20
> following:
>
> firewall {
> filter inbound {
> term block-bad-tcp-ports {
> from {
> protocol tcp;
> destination-port-list BAD-TCP;
> }
> then discard;
> }
> }
> }
>
> This allows the maintenance of a list of ports without touching the=20
> firewall filter. It also avoids the problem of keeping multiple=20
> instances of a port list in sync.
>
> Juniper folks, are there any plans to implement such a thing?
>
> --eli
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20041006/278b2232/attachment.bin
More information about the juniper-nsp
mailing list