[j-nsp] Firewall Filter logging
Harry Reynolds
harry at juniper.net
Fri Oct 8 17:37:22 EDT 2004
Counters yes, but not aware of any such capability for syslog. Filters that
execute in the PFE for transit traffic generate log messages with a generic
name like "pfe" so you cannot easily parse the common log file.
> -----Original Message-----
> From: Khawaja, Kashif [mailto:Kashif.Khawaja at broadwing.com]
> Sent: Friday, October 08, 2004 2:07 PM
> To: Harry Reynolds; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Firewall Filter logging
>
> In that case, is there a convenient way to separate logs
> (into different files perhaps) of multiple outbound firewall filters?
>
> -----Original Message-----
> From: Harry Reynolds [mailto:harry at juniper.net]
> Sent: Friday, October 08, 2004 2:02 PM
> To: Khawaja, Kashif; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Firewall Filter logging
>
>
> Firewall filters ID the incoming interface to assist with
> DDoS tracking.
> AFAIK, there is no way to alter so as to ID the egress
> interface in the
> log. I guess we assume that you know thaw egress interface as you have
> applied the filter there.
>
>
> HTHs
>
>
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> > Khawaja, Kashif
> > Sent: Friday, October 08, 2004 10:43 AM
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] Firewall Filter logging
> >
> > Hi All:
> >
> > Testing a filter and having problem logging on it. Have a few
> > small but rather important issues.
> >
> > 1. If I apply it ONLY outbound on an interface that all this
> > traffic is exiting through I do get logs but the logs show
> > the interface traffic is entering through not the interface
> > the filter is applied (outbound) on.
> >
> > 2. Juniper's documentation for 6.2 says I should be able to
> > see the port numbers along with the IP addresses in the
> > default (non-detailed view).
> > Is there a knob you have to tweak for the ports to show up in
> > the terse format? I do see the ports in the detailed view.
> >
> >
> >
> > sonet-options {
> > fcs 32;
> > }
> > unit 0 {
> > family inet {
> > filter {
> > output jun62;
> > }
> > address 192.2.1.1/30;
> > }
> > }
> >
> > term one {
> > from {
> > address {
> > 1.1.1.0/24;
> > 2.4.5.0/255.255.255.0;
> > 0.0.130.0/0.0.255.0;
> > 0.0.0.0/192.224.240.248;
> > 0.0.0.1/0.128.0.255;
> > 192.252.192.0/192.252.224.0;
> > }
> > prefix-list {
> > FIREWALLIT;
> > }
> > dscp af33;
> > protocol tcp;
> > port 21;
> > }
> > then {
> > log;
> > discard;
> > }
> > }
> > term two {
> > from {
> > source-address {
> > 240.252.10.11/248.252.255.255;
> > }
> > destination-address {
> > 128.224.0.1/248.252.255.255;
> > }
> > source-prefix-list {
> > SFIREWALLIT;
> > }
> > destination-prefix-list {
> > DFIREWALLIT;
> > }
> > precedence-except immediate;
> > protocol [ udp rsvp ];
> > destination-port 123-130;
> > }
> > then {
> > log;
> > reject;
> > }
> > }
> > term 3 {
> > from {
> > protocol icmp;
> > icmp-type echo-request;
> > icmp-code redirect-for-tos-and-host;
> > }
> > then {
> > log;
> > sample;
> > next term;
> > }
> > }
> > term 4 {
> > then accept;
> > }
> >
> > Thanks
> > -Kashif.
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
More information about the juniper-nsp
mailing list