[j-nsp] Filters

Alexander Arsenyev (GU/ETL) alexander.arsenyev at ericsson.com
Thu Jul 14 12:31:37 EDT 2005


Andy,

I did not say that rewrite rules shall be applied to the logical interface itself. All I'm trying to say is that
firewall filters and rewrite-rules shall be defined and applied separately in their respective places (see URLs below for
more information).
HTH,
Cheers
Alexander

-----Original Message-----
From: andy [mailto:andy at shady.org]
Sent: 14 July 2005 17:27
To: Alexander Arsenyev (GU/ETL)
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Filters


Hi Alex,

I think this is exactly what we are looking for.
Currently we apply rewrite rules on the family <family name>.
This is kinda done like so:

           family inet {
                no-redirects;
                filter {
                    output TOSRewrite;
                }


with the filter as follows:

    filter TOSRewrite {
        term 10 {
            from {
                destination-address {
                    x.x.x.x/32;


etc etc.

Your saying its preferable to add any rewrite rules to the logical interface itself.
Sounds sensible to me, Ill have a play and see what I can cobble together.

Thanks all for your comments and help btw-.

 

On Thu, Jul 14, 2005 at 05:59:17PM +0200, Alexander Arsenyev (GU/ETL) wrote:
> Hello Andy,
> 
> The protection filters are configured under [edit firewall] and applied under [edit interfaces <interface-name> unit <unit-number> family <family name> ] 
> http://www.juniper.net/techpubs/software/junos/junos72/swconfig72-policy/html/firewall-config29.html#1027001
> The rewrite-rules are configured under {edit class-of-service] and applied under [edit class-of-service interfaces interface-name unit logical-unit-number] 
> http://www.juniper.net/techpubs/software/junos/junos72/swconfig72-interfaces/html/cos-config29.html#1015195
> So there are 2 distinct places to define what You are going to do: one to specify firewall filters and second to specify rewrite rules. Likewise, there are 2 places to actually do things: one to do firewall filtering and another to do DSCP/IPPREC/EXP rewriting. 
> Is that what You are looking for?
> HTH,
> Cheers
> Alex
> 
> 
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of andy
> Sent: 14 July 2005 12:55
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Filters
> 
> 
> Hi,
> 
> Just a quick question. Is it possible to apply multiple filters to an interface?
> We dont want to combine several filters into one filter and apply that to an interface.
> 
> For example, we have TOS rewrite filters and "protection filters" that block traffic.
> We would like to be able to apply the rewrite filters and the protection filters to the same interface without combining the filters and making one 
> large filter.
> 
> Is this possible? If so, does anyone have an example of an interface running multiple filters?
> 
> Thanks
> 
> -- 
> andy    andy at shady.org
> -----------------------------------------------
> Never argue with an idiot. They drag you down 
> to their level, then beat you with experience.
> http://shady.org/~tlabs/
> ----------------------------------------------- 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

-- 
andy    andy at shady.org
-----------------------------------------------
Never argue with an idiot. They drag you down 
to their level, then beat you with experience.
http://shady.org/~tlabs/
----------------------------------------------- 



More information about the juniper-nsp mailing list