[j-nsp] Firewall Filter logging
Khawaja, Kashif
Kashif.Khawaja at broadwing.com
Fri Oct 8 13:42:34 EDT 2004
Hi All:
Testing a filter and having problem logging on it. Have a few small but
rather important issues.
1. If I apply it ONLY outbound on an interface that all this traffic is
exiting through I do get logs but the logs show the interface traffic is
entering through not the interface the filter is applied (outbound) on.
2. Juniper's documentation for 6.2 says I should be able to see the port
numbers along with the IP addresses in the default (non-detailed view).
Is there a knob you have to tweak for the ports to show up in the terse
format? I do see the ports in the detailed view.
sonet-options {
fcs 32;
}
unit 0 {
family inet {
filter {
output jun62;
}
address 192.2.1.1/30;
}
}
term one {
from {
address {
1.1.1.0/24;
2.4.5.0/255.255.255.0;
0.0.130.0/0.0.255.0;
0.0.0.0/192.224.240.248;
0.0.0.1/0.128.0.255;
192.252.192.0/192.252.224.0;
}
prefix-list {
FIREWALLIT;
}
dscp af33;
protocol tcp;
port 21;
}
then {
log;
discard;
}
}
term two {
from {
source-address {
240.252.10.11/248.252.255.255;
}
destination-address {
128.224.0.1/248.252.255.255;
}
source-prefix-list {
SFIREWALLIT;
}
destination-prefix-list {
DFIREWALLIT;
}
precedence-except immediate;
protocol [ udp rsvp ];
destination-port 123-130;
}
then {
log;
reject;
}
}
term 3 {
from {
protocol icmp;
icmp-type echo-request;
icmp-code redirect-for-tos-and-host;
}
then {
log;
sample;
next term;
}
}
term 4 {
then accept;
}
Thanks
-Kashif.
More information about the juniper-nsp
mailing list