[j-nsp] Filters
Alexander Arsenyev (GU/ETL)
alexander.arsenyev at ericsson.com
Thu Jul 14 12:31:37 EDT 2005
Andy,
I did not say that rewrite rules shall be applied to the logical interface itself. All I'm trying to say is that
firewall filters and rewrite-rules shall be defined and applied separately in their respective places (see URLs below for
more information).
HTH,
Cheers
Alexander
-----Original Message-----
From: andy [mailto:andy at shady.org]
Sent: 14 July 2005 17:27
To: Alexander Arsenyev (GU/ETL)
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Filters
Hi Alex,
I think this is exactly what we are looking for.
Currently we apply rewrite rules on the family <family name>.
This is kinda done like so:
family inet {
no-redirects;
filter {
output TOSRewrite;
}
with the filter as follows:
filter TOSRewrite {
term 10 {
from {
destination-address {
x.x.x.x/32;
etc etc.
Your saying its preferable to add any rewrite rules to the logical interface itself.
Sounds sensible to me, Ill have a play and see what I can cobble together.
Thanks all for your comments and help btw-.
On Thu, Jul 14, 2005 at 05:59:17PM +0200, Alexander Arsenyev (GU/ETL) wrote:
> Hello Andy,
>
> The protection filters are configured under [edit firewall] and applied under [edit interfaces <interface-name> unit <unit-number> family <family name> ]
> http://www.juniper.net/techpubs/software/junos/junos72/swconfig72-policy/html/firewall-config29.html#1027001
> The rewrite-rules are configured under {edit class-of-service] and applied under [edit class-of-service interfaces interface-name unit logical-unit-number]
> http://www.juniper.net/techpubs/software/junos/junos72/swconfig72-interfaces/html/cos-config29.html#1015195
> So there are 2 distinct places to define what You are going to do: one to specify firewall filters and second to specify rewrite rules. Likewise, there are 2 places to actually do things: one to do firewall filtering and another to do DSCP/IPPREC/EXP rewriting.
> Is that what You are looking for?
> HTH,
> Cheers
> Alex
>
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of andy
> Sent: 14 July 2005 12:55
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Filters
>
>
> Hi,
>
> Just a quick question. Is it possible to apply multiple filters to an interface?
> We dont want to combine several filters into one filter and apply that to an interface.
>
> For example, we have TOS rewrite filters and "protection filters" that block traffic.
> We would like to be able to apply the rewrite filters and the protection filters to the same interface without combining the filters and making one
> large filter.
>
> Is this possible? If so, does anyone have an example of an interface running multiple filters?
>
> Thanks
>
> --
> andy andy at shady.org
> -----------------------------------------------
> Never argue with an idiot. They drag you down
> to their level, then beat you with experience.
> http://shady.org/~tlabs/
> -----------------------------------------------
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
--
andy andy at shady.org
-----------------------------------------------
Never argue with an idiot. They drag you down
to their level, then beat you with experience.
http://shady.org/~tlabs/
-----------------------------------------------
More information about the juniper-nsp
mailing list