[j-nsp] Filtering and policer examples
Daniel Verlouw
daniel at eu.tachyon.net
Thu Dec 29 03:51:11 EST 2005
I'd change "port" in your first term to "destination-port", otherwise
it matches the source OR destination TCP port. In your current
example, if an attacker picks source port 80, he can quite easily
bypass your filter (still rate limited though).
Same applies to "address" - change it to "destination-address".
It's also mentioned in the docs somewhere that using "address" and
"port" can create problems in certain cases with the parallel
processing of the terms.
-Daniel.
On 29 Dec 2005, at 02:59, Thomas Salmen wrote:
>
> I haven't tested this, and it's pretty much from memory, but it
> should be
> roughly what you're looking for. I think.
>
>
> filter filter-inbound {
> /* Police traffic to address 192.168.1.1 on port 80 */
> term 1 {
> from {
> address {
> 192.168.1.1/32;
> }
> protocol tcp;
> port [ 80 ];
> then {
> policer 1M;
> accept;
> }
> }
> /* Discard all other traffic to 192.168.1.1 */
> term 1 {
> from {
> address {
> 192.168.1.1/32;
> }
> then {
> discard;
> }
> }
> /* Accept all other traffic */
> term accept-all {
> then {
> accept;
> }
> }
> }
>
> policer 1M {
> if-exceeding {
> bandwidth-limit 1024k;
> burst-size-limit 128k;
> }
> then discard;
> }
>
> ge-1/3/0 {
> vlan-tagging;
> unit 100 {
> vlan-id 100;
> family inet {
> filter {
> input filter-inbound;
> }
> address 172.16.1.1/30;
> }
> }
> }
>
>
>
> Cheers,
> Thomas
>
>>
>> I have been working on some filters for our edge router, and could
>> use
>> some assistance. We have a high-risk externally-available
>> resource that
>> I'd like to filter outside traffic to, which I have somewhat of a
>> handle
>> on, but I'd also like to apply some rate limiting policers to it as
>> well. Does anyone have any resources (besides the Policy Framework
>> Configuration Guide, which I've been reading) for writing firewall
>> filters and traffic policers? Examples would be even better.
>>
>> What I am trying to do is discard all traffic to a single address,
>> except for a small range of tcp ports. All other traffic
>> traversing the
>> filtered interfaces should be allowed to pass uninterrupted.
>>
>> Thanks for any help.
>>
>> -j
>>
>> --
>> --Jonathan Disher, Senior Systems and Network Engineer
>> --Macrovision Corporation, Santa Clara, CA
>> --[w] +1.408.562.8524 | [m] +1.408.829.2956 | [e]
>> jdisher at macrovision.com
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list