[j-nsp] Filtering and policer examples

Wayne.Kampjes at alcatel.co.nz Wayne.Kampjes at alcatel.co.nz
Wed Dec 28 21:42:43 EST 2005


need 
filter filter-inbound {
    /* Police traffic to address 192.168.1.1 on port 80 */
term match-accept
from {
        destination-address {
                192.168.1.1/32;
        }
                 protocol tcp;  (may need UDP also)
                 port [ 80 83 256 ]; (whatever)
             }
             then {
                 policer 1M;
                 accept;
                 }
        }
   /* Discard all other traffic to 192.168.1.1 */
    term match-discard {
        from {
                 destination-address {
                192.168.1.1/32;
            }
        then {
            discard;
        }
    } 
etc
The burst-size-limit may need to be a little larger (bandwidth/5) to be 
TCP friendly.

apply this to input or output on the interface depending on direction of 
flow.

Cheers
Wayne





"Thomas Salmen" <tsalmen at orcon.net.nz>
Sent by: juniper-nsp-bounces at puck.nether.net
29/12/2005 02:59 PM
 
        To:     "'Jonathan Disher'" <jdisher at macrovision.com>, 
<juniper-nsp at puck.nether.net>
        cc: 
        Subject:        RE: [j-nsp] Filtering and policer examples



I haven't tested this, and it's pretty much from memory, but it should be
roughly what you're looking for. I think.


filter filter-inbound {
    /* Police traffic to address 192.168.1.1 on port 80 */
    term 1 {
        from {
                                 address {
                192.168.1.1/32;
            }
            protocol tcp;
            port [ 80 ];
        then {
            policer 1M;
            accept;
        }
    }
    /* Discard all other traffic to 192.168.1.1 */
    term 1 {
        from {
                                 address {
                192.168.1.1/32;
            }
        then {
            discard;
        }
    } 
    /* Accept all other traffic */
    term accept-all {
        then {
            accept;
        }
    }
}

policer 1M {
    if-exceeding {
        bandwidth-limit 1024k;
        burst-size-limit 128k;
    }
    then discard;
}

ge-1/3/0 {
    vlan-tagging;
    unit 100 {
        vlan-id 100;
        family inet {
            filter {
                input filter-inbound;
            }
            address 172.16.1.1/30;
        }
    }
}



Cheers,
Thomas

> 
> I have been working on some filters for our edge router, and could use
> some assistance.  We have a high-risk externally-available resource that
> I'd like to filter outside traffic to, which I have somewhat of a handle
> on, but I'd also like to apply some rate limiting policers to it as
> well.  Does anyone have any resources (besides the Policy Framework
> Configuration Guide, which I've been reading) for writing firewall
> filters and traffic policers?  Examples would be even better.
> 
> What I am trying to do is discard all traffic to a single address,
> except for a small range of tcp ports.  All other traffic traversing the
> filtered interfaces should be allowed to pass uninterrupted.
> 
> Thanks for any help.
> 
> -j
> 
> --
> --Jonathan Disher, Senior Systems and Network Engineer
> --Macrovision Corporation, Santa Clara, CA
> --[w] +1.408.562.8524 | [m] +1.408.829.2956 | [e]
> jdisher at macrovision.com
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp



This email may contain privileged/confidential information. You may not copy or disclose this email to anyone without the written permission of the sender.  If you have received this email in error please kindly delete this message and notify the sender.  Opinions expressed in this email are those of the sender and not necessarily the opinions of the employer. 

This email and any attached files should be scanned to detect viruses.  No liability will be accepted by the employer for loss or damage (whether caused by negligence or not) as a result of email transmission.


More information about the juniper-nsp mailing list