[j-nsp] Issues with 7.2R1.7 and Firewall Filters

Laura McDonnell lauram at canterbury.ac.uk
Tue Sep 13 12:39:01 EDT 2005 

I have applied the firewall to the physical interface
fe-1/3/0 {
        unit 0 {
            description External_interface;
            family inet {
                filter {
                    input Traffic_Control_IN;
                    output Traffic_Control_OUT;
                }
                address x/30;

When I look at the firewall logs I see traffic originating from a source
address of the M7 which is expected but I also see requests from the source
address of router at the other end of the tunnel for GRE traffic on the pfe,
should this be happening?

Ie
Filter    Action Interface  Protocol Src Addr
Dest Addr
pfe       A      fe-1/3/1.0 GRE      x	y                           
pfe       A      fe-1/3/1.0 GRE      y	x                           

Thanks,
Laura

-----Original Message-----
From: Rafal Szarecki (WA/EPO) [mailto:rafal.szarecki at ericsson.com] 
Sent: 13 September 2005 17:23
To: Laura McDonnell; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Issues with 7.2R1.7 and Firewall Filters

I do not see when firewall is applied....
 on gre-1/2/0.0 or on other interface ?



> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of 
> Laura McDonnell
> Sent: Tuesday, September 13, 2005 11:46 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Issues with 7.2R1.7 and Firewall Filters
> 
> 
> I am currently setting up the configuration for a M7i router 
> and have come
> across some difficulty with the firewall filters for GRE.
> I have configured them similar to cisco but when I look at 
> the firewall logs
> I am seeing hits against the inbound filter but none against 
> the outbound
> filter. When I remove the inbound filter all works fine.  I 
> am slightly
> confused at the configuration I should be using currently I have the
> following setup. 
> 
> Inbound
> term GRE {
>             from {
>                 source-address {
>                     y/32;
>                 }
>                 destination-address {
>                     x/32;
>                 }
>                 protocol gre;
>             }
>             then {
>                 count GRE;
>                 log;
>                 accept;
> 
> Outbound
> term GRE {
>             from {
>                 source-address {
>                     x/32;
>                 }
>                 destination-address {
>                     y/32;
>                 }
>                 protocol gre;
>             }
>             then {
>                 count GRE;
>                 log;
>                 accept;
>             }
> 
> interfaces {
>     gr-1/2/0 {
>         unit 0 {
>             description Tunnel;
>             tunnel {
>                 source x;
>                 destination y;
>             }
>             family inet;
>         }
> 
> Can somebody please confirm my configs are correct and 
> explain why I am not
> able to run the tunnel when I have this configured.
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list