[j-nsp] Filters and Logging
info at beprojects.com
info at beprojects.com
Fri Feb 25 08:16:00 EST 2005
There has got to be some way to log discarded packets. C does it, so I
can't imagine that there isn't some facility in JUNOS to do it. Anybody
have any ideas?
Alastair Galloway wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Peder,
>
> | -----Original Message-----
> | From: juniper-nsp-bounces at puck.nether.net
> | [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> | info at beprojects.com
> |
> | OK, this is going to sound dumb, but I can't figure out where my
> | J2300 is logging denied packets. If I setup a filter with the
> | following:
> |
> | filter SAMPLE {
> | [snip]
> | term DENYALL {
> | then {
> | count DENYCOUNT;
> | log;
> | discard;
> | }
> | }
> | }
> |
> | It works the way it should, but I can't find the denied packets. I
> | check "show firewall log" and I see a bunch of packets with A
> | (accept), which I am not logging, but I don't see any denied packets.
>
> This one caught me out once, until I notice this line in the documentation:
>
> ~ discard - The packet is not accepted and is not processed
> ~ further. Discarded packets cannot be logged or
> ~ sampled.
>
> I found it in the JUNOS 6.1 documentation but happily the URL is the
> same for 7.1 - just changing the 6 ot a 7 does finds it:
> http://www.juniper.net/techpubs/software/junos/junos71/swconfig71-policy/html/firewall-config8.html#1014076
>
>
>
> Cheers,
>
> Alastair Galloway
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCHuxx7L4uFx/M2usRAojhAJ9AC04IyHYw6XljhaymbfmzBWatggCfbPH2
> b3MxQM9mt/mnnZhYjZy4Oxc=
> =9rb+
> -----END PGP SIGNATURE-----
>
>
> .
>
More information about the juniper-nsp
mailing list