[j-nsp] Port list?

Eric Van Tol eric at atlantech.net
Wed Oct 6 15:10:01 EDT 2004 

Sure, just create the terms as specific ones instead of
all-encompassing:

> groups {
>     tcp-port-list {
>         firewall {
>            filter <*> {
>                 term dest-tcp {
>                           from protocol tcp;
>                           destination-port [ 21 25 445 666 ];
> 	       }
		term source-tcp {
			from protocol tcp;
			source-port [2 4 6 8 ];
	         }
>           }
>     }
> }
> firewall {
>      filter block-traffic {
>            term dest-tcp {
>                 apply-groups tcp-port-list;
>            }
>            then discard;
>            }
	    term source-tcp {
		apply-groups tcp-port-list;
>       }
> }

Just make sure you name your terms the same name as you did in the group
definition.

-evt

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eli Dart
Sent: Wednesday, October 06, 2004 2:24 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Port list? 


In reply to "Eric Van Tol" <eric at atlantech.net> :

> This could be accomplished by using groups, correct?

That would work for applying the same list of ports in the same 
direction in multiple terms.....that's useful, thanks!

Is there a way to finagle this so that the same list of ports could 
be applied source-port in one term and destination-port in another?
The motivation for this to apply the reciprocal of inbound port 
filters in the outbound direction, to cover for fragmented traffic or 
other issues.

Thanks!

		--eli


> 
> groups {
>     tcp-port-list {
>         firewall {
>            filter <*> {
>                 term <*> {
>                           from protocol tcp;
>                           destination-port [ 21 25 445 666 ];
> 	       }
>           }
>     }
> }
> firewall {
>      filter block-traffic {
>            term block-tcp {
>                 apply-groups tcp-port-list;
>            }
>            then discard;
>            }
>       }
> }
> 
> -evt
> 
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Eli Dart
> Sent: Wednesday, October 06, 2004 1:37 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Port list?
> 
> Does anyone know of a way to define a list of ports in Juniper policy?
> 
> For a border router, it would be nice to do something like the=20
> following:
> 
> firewall {
>  filter inbound {
>   term block-bad-tcp-ports {
>    from {
>     protocol tcp;
>     destination-port-list BAD-TCP;
>    }
>    then discard;
>   }
>  }
> }
> 
> This allows the maintenance of a list of ports without touching the=20
> firewall filter.  It also avoids the problem of keeping multiple=20
> instances of a port list in sync.
> 
> Juniper folks, are there any plans to implement such a thing?
> 
> 		--eli
> 
> 
>

More information about the juniper-nsp mailing list