[j-nsp] Filtering and policer examples

Thomas Salmen tsalmen at orcon.net.nz
Wed Dec 28 20:59:44 EST 2005


I haven't tested this, and it's pretty much from memory, but it should be
roughly what you're looking for. I think.


filter filter-inbound {
    /* Police traffic to address 192.168.1.1 on port 80 */
    term 1 {
        from {
		address {
                192.168.1.1/32;
            }
            protocol tcp;
            port [ 80 ];
        then {
            policer 1M;
            accept;
        }
    }
    /* Discard all other traffic to 192.168.1.1 */
    term 1 {
        from {
		address {
                192.168.1.1/32;
            }
        then {
            discard;
        }
    }    
    /* Accept all other traffic */
    term accept-all {
        then {
            accept;
        }
    }
}

policer 1M {
    if-exceeding {
        bandwidth-limit 1024k;
        burst-size-limit 128k;
    }
    then discard;
}

ge-1/3/0 {
    vlan-tagging;
    unit 100 {
        vlan-id 100;
        family inet {
            filter {
                input filter-inbound;
            }
            address 172.16.1.1/30;
        }
    }
}



Cheers,
Thomas

> 
> I have been working on some filters for our edge router, and could use
> some assistance.  We have a high-risk externally-available resource that
> I'd like to filter outside traffic to, which I have somewhat of a handle
> on, but I'd also like to apply some rate limiting policers to it as
> well.  Does anyone have any resources (besides the Policy Framework
> Configuration Guide, which I've been reading) for writing firewall
> filters and traffic policers?  Examples would be even better.
> 
> What I am trying to do is discard all traffic to a single address,
> except for a small range of tcp ports.  All other traffic traversing the
> filtered interfaces should be allowed to pass uninterrupted.
> 
> Thanks for any help.
> 
> -j
> 
> --
> --Jonathan Disher, Senior Systems and Network Engineer
> --Macrovision Corporation, Santa Clara, CA
> --[w] +1.408.562.8524 | [m] +1.408.829.2956 | [e]
> jdisher at macrovision.com
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list