[j-nsp] Filtering and policer examples
Thomas Salmen
tsalmen at orcon.net.nz
Wed Dec 28 20:59:44 EST 2005
I haven't tested this, and it's pretty much from memory, but it should be
roughly what you're looking for. I think.
filter filter-inbound {
/* Police traffic to address 192.168.1.1 on port 80 */
term 1 {
from {
address {
192.168.1.1/32;
}
protocol tcp;
port [ 80 ];
then {
policer 1M;
accept;
}
}
/* Discard all other traffic to 192.168.1.1 */
term 1 {
from {
address {
192.168.1.1/32;
}
then {
discard;
}
}
/* Accept all other traffic */
term accept-all {
then {
accept;
}
}
}
policer 1M {
if-exceeding {
bandwidth-limit 1024k;
burst-size-limit 128k;
}
then discard;
}
ge-1/3/0 {
vlan-tagging;
unit 100 {
vlan-id 100;
family inet {
filter {
input filter-inbound;
}
address 172.16.1.1/30;
}
}
}
Cheers,
Thomas
>
> I have been working on some filters for our edge router, and could use
> some assistance. We have a high-risk externally-available resource that
> I'd like to filter outside traffic to, which I have somewhat of a handle
> on, but I'd also like to apply some rate limiting policers to it as
> well. Does anyone have any resources (besides the Policy Framework
> Configuration Guide, which I've been reading) for writing firewall
> filters and traffic policers? Examples would be even better.
>
> What I am trying to do is discard all traffic to a single address,
> except for a small range of tcp ports. All other traffic traversing the
> filtered interfaces should be allowed to pass uninterrupted.
>
> Thanks for any help.
>
> -j
>
> --
> --Jonathan Disher, Senior Systems and Network Engineer
> --Macrovision Corporation, Santa Clara, CA
> --[w] +1.408.562.8524 | [m] +1.408.829.2956 | [e]
> jdisher at macrovision.com
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list