[j-nsp] Filters and Logging

info at beprojects.com info at beprojects.com
Fri Feb 25 08:16:00 EST 2005


There has got to be some way to log discarded packets.  C does it, so I 
can't imagine that there isn't some facility in JUNOS to do it.  Anybody 
have any ideas?

Alastair Galloway wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Peder,
> 
> | -----Original Message-----
> | From: juniper-nsp-bounces at puck.nether.net
> | [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> | info at beprojects.com
> |
> | OK, this is going to sound dumb, but I can't figure out where my
> | J2300 is logging denied packets. If I setup a filter with the
> | following:
> |
> | filter SAMPLE {
> | [snip]
> |       term DENYALL {
> |              then {
> |                  count DENYCOUNT;
> |                  log;
> |                  discard;
> |          }
> |       }
> |    }
> |
> | It works the way it should, but I can't find the denied packets. I
> | check "show firewall log" and I see a bunch of packets with A
> | (accept), which I am not logging, but I don't see any denied packets.
> 
> This one caught me out once, until I notice this line in the documentation:
> 
> ~        discard - The packet is not accepted and is not processed
> ~                  further. Discarded packets cannot be logged or
> ~                  sampled.
> 
> I found it in the JUNOS 6.1 documentation but happily the URL is the
> same for 7.1 - just changing the 6 ot a 7 does finds it:
> http://www.juniper.net/techpubs/software/junos/junos71/swconfig71-policy/html/firewall-config8.html#1014076 
> 
> 
> 
> Cheers,
> 
> Alastair Galloway
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFCHuxx7L4uFx/M2usRAojhAJ9AC04IyHYw6XljhaymbfmzBWatggCfbPH2
> b3MxQM9mt/mnnZhYjZy4Oxc=
> =9rb+
> -----END PGP SIGNATURE-----
> 
> 
> .
> 


More information about the juniper-nsp mailing list