[j-nsp] Port list?
Phil Shafer
phil at juniper.net
Thu Oct 7 09:24:51 EDT 2004
Eric Van Tol writes:
>Sorry, I misunderstood the last question. The solution I provided would
>not work in the situation presented. Sorry!
I don't have an easy way of doing this yet either. You could use
a config group to at least keep two lists of the exact same ports
side-by-side (see below), which may help you maintain them, but
there's no current mechanism to make only one list. Sorry...
Thanks,
Phil
groups {
tcp-port-list {
firewall {
filter <*> {
term <*> {
from {
protocol tcp;
}
}
term block-source-ports {
from {
source-port [ 21 25 445 666 ];
}
}
term block-destination-ports {
from {
destination-port [ 21 25 445 666 ];
}
}
}
}
}
}
firewall {
filter block-inbound-traffic {
term block-destination-ports {
apply-groups tcp-port-list;
then discard;
}
}
filter block-outbound-traffic {
term block-source-ports {
apply-groups tcp-port-list;
then discard;
}
}
}
[edit]
cli# show | display inheritance
firewall {
filter block-inbound-traffic {
term block-destination-ports {
##
## 'from' was inherited from group 'tcp-port-list'
##
from {
##
## 'tcp' was inherited from group 'tcp-port-list'
##
protocol tcp;
##
## '21' was inherited from group 'tcp-port-list'
## '25' was inherited from group 'tcp-port-list'
## '445' was inherited from group 'tcp-port-list'
## '666' was inherited from group 'tcp-port-list'
##
destination-port [ 21 25 445 666 ];
}
then {
discard;
}
}
}
filter block-outbound-traffic {
term block-source-ports {
##
## 'from' was inherited from group 'tcp-port-list'
##
from {
##
## 'tcp' was inherited from group 'tcp-port-list'
##
protocol tcp;
##
## '21' was inherited from group 'tcp-port-list'
## '25' was inherited from group 'tcp-port-list'
## '445' was inherited from group 'tcp-port-list'
## '666' was inherited from group 'tcp-port-list'
##
source-port [ 21 25 445 666 ];
}
then {
discard;
}
}
}
}
More information about the juniper-nsp
mailing list