[j-nsp] Difficulty with traceroute and
stateful-firewall services...
Michael Loftis
mloftis at wgops.com
Mon Apr 11 12:26:02 EDT 2005
--On Monday, April 11, 2005 18:02 +0200 Erik Haagsman <erik at we-dare.net>
wrote:
> Without seeing the actual firewall rules it's hard to say anything
> useful about this, are you blocking/filtering any UDP ports that might
> prevent a normal traceroute...?
I have a final 'then reject' in the rules in the service set....I didn't
want to include the rules because they get so long-winded but here goes...
these are all under edit services ... not precisely in the order they come
out of the config file (reordered for slightly better readability, i hope)
-- this is being applied to the unit facing the hosts, so inbound/outbound
is from the interface perspective, that little detail did trip me initially.
I'm trying to get something that works and then clean everything up
completely and concisely.
(service set being applied to the interface, input, and output)
service-set internal-services-set {
stateful-firewall-rule-sets internal-services;
interface-service {
service-interface sp-1/2/0;
}
}
stateful-firewall {
rule-set internal-services {
rule allow-icmp-basic;
rule allow-management-inbound;
rule reject-all-output;
rule accept-all-input;
}
rule allow-icmp-basic {
match-direction input-output;
term 1 {
from {
application-sets icmp-basic;
}
then {
accept;
}
}
term 2 {
from {
applications junos-icmp-all;
}
then {
accept;
}
}
}
rule allow-management-inbound {
match-direction input-output;
term 1 {
from {
source-address {
# ... redacted, sorry...
}
application-sets junos-algs-outbound;
}
then {
accept;
}
}
term 2 {
from {
source-address {
# ... redacted, sorry...
}
application-sets junos-management-inbound;
}
then {
accept;
}
}
}
rule reject-all-output {
match-direction output;
term output-reject {
then {
reject;
}
}
}
rule accept-all-input {
match-direction input;
term accept-input {
then {
accept;
}
}
}
}
More information about the juniper-nsp
mailing list