[j-nsp] Firewall Filter logging

Harry Reynolds harry at juniper.net
Fri Oct 8 15:02:29 EDT 2004 

Firewall filters ID the incoming interface to assist with DDoS tracking.
AFAIK, there is no way to alter so as to ID the egress interface in the log.
I guess we assume that you know thaw egress interface as you have applied
the filter there.


HTHs


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> Khawaja, Kashif
> Sent: Friday, October 08, 2004 10:43 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Firewall Filter logging
> 
> Hi All:
> 
> Testing a filter and having problem logging on it. Have a few 
> small but rather important issues. 
> 
> 1. If I apply it ONLY outbound on an interface that all this 
> traffic is exiting through I do get logs but the logs show 
> the interface traffic is entering through not the interface 
> the filter is applied (outbound) on. 
> 
> 2. Juniper's documentation for 6.2 says I should be able to 
> see the port numbers along with the IP addresses in the 
> default (non-detailed view).
> Is there a knob you have to tweak for the ports to show up in 
> the terse format? I do see the ports in the detailed view.
> 
> 
> 
> sonet-options {
>     fcs 32;
> }
> unit 0 {
>     family inet {
>         filter {
>             output jun62;
>         }
>         address 192.2.1.1/30;
>     }
> }
> 
> term one {
>     from {
>         address {
>             1.1.1.0/24;
>             2.4.5.0/255.255.255.0;
>             0.0.130.0/0.0.255.0;
>             0.0.0.0/192.224.240.248;
>             0.0.0.1/0.128.0.255;
>             192.252.192.0/192.252.224.0;
>         }
>         prefix-list {
>             FIREWALLIT;
>         }
>         dscp af33;
>         protocol tcp;
>         port 21;
>     }
>     then {
>         log;
>         discard;
>     }
> }
> term two {
>     from {
>         source-address {
>             240.252.10.11/248.252.255.255;
>         }
>         destination-address {
>             128.224.0.1/248.252.255.255;
>         }
>         source-prefix-list {
>             SFIREWALLIT;
>         }
>         destination-prefix-list {
>             DFIREWALLIT;
>         }
>         precedence-except immediate;
>         protocol [ udp rsvp ];
>         destination-port 123-130;
>     }
>     then {
>         log;
>         reject;
>     }
> }
> term 3 {
>     from {
>         protocol icmp;
>         icmp-type echo-request;
>         icmp-code redirect-for-tos-and-host;
>     }
>     then {
>         log;
>         sample;
>         next term;
>     }
> }
> term 4 {
>     then accept;
> }
> 
> Thanks
> -Kashif.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list