[j-nsp] firewall filter anomaly in M20
juniper at arnes.si
juniper at arnes.si
Wed Sep 7 09:22:37 EDT 2005
Hi, all!
We hit into some weird problems on Juniper M20, running JUNOS 6.4R3.4 (or 7.1R2.2). It
looks like the firewall filter spontaneously changes its behaviour without any configuration
changes. We observed the following incidents:
1) All telnet sessions from outside world towards local networks were dropped.
JUNOS 6.4-20050107.0
A filter term, that denied telnet from source X somehow "changed" to "deny telnet
from any".
Solution: changing the filter and changing it back again to the original state.
2) Suddenly all traffic marked with a specific DSCP value was dropped.
JUNOS 7.1R2.2
We have a term in a firewall filter that counts this kind of traffic. It looks like
"count and accept" changed to "discard".
3) Forwarding through the local GE interface stopped.
JUNOS 7.1R2.2
A firewall filter began to "accept and LOG/syslog" _all_ IP traffic that should be
silently accepted and forwarded. System was unreachable via the local GE interface and
router had to be reloaded.
4) IPv6 firewall filter drops packets from other neighboring routers.
JUNOS 6.R3.4
Some term in IPv6 firewall filter "decided" to drop packets that were explicitly
allowed in the filter. Normal behavior was restored when filter was removed from
the interface and placed back again unchanged.
Has anybody observed similar behaviour?
Any hint or help appreciated,
with best regards,
Matjaz Straus
--
Matjaz Straus, ARNES matjaz.straus at arnes.si
Jamova 39, p.p.7, SI-1001 Ljubljana, Slovenija
tel:+386 1 479-88-00 fax:+386 1 479-88-99
http://www.arnes.si/
PGP public key at: http://www.arnes.si/~matjaz/
------------------------------------------------------------------------------
More information about the juniper-nsp
mailing list