[j-nsp] SCU limitation ?
Thomas Mangin
thomas.mangin at exa-networks.co.uk
Wed Nov 8 19:15:12 EST 2006
Hi,
I would like to redirect traffic based on source IP address using two
communities, one to specify what kind of traffic should be intercepted
and another to say where it should go.
I am trying to create a filter to match both traffic I need to have two
source-class matched in the filter statement and I am not sure if it is
possible.
Thank you for your time.
(The configuration would look like - untested - pure theory)
forwarding-table {
export scu;
}
groups {
intercepted-interface {
interfaces {
<*> {
unit <*> {
family inet {
filter {
input internal-intercept;
}
}
}
}
}
}
}
policy-options {
community intercept-mail members 30740:1
community intercept-web members 30740:2
community redirect-wallgarden members 30740:11
community redirect-proxy members 30740:12
policy-statement scu {
term is-intercepted-mail {
from {
community intercept-mail;
}
then source-class intercepted-mail;
}
term is-intercepted-web {
from {
community intercept-web;
}
then source-class intercepted-web;
}
term is-for-wallgarden {
from {
community redirect-wallgarden;
}
then source-class redirected-wallgarden;
}
term is-for-proxy {
from {
community redirect-proxy;
}
then source-class redirected-proxy;
}
}
}
firewall {
filter internal-intercept {
term for-web-proxy {
from {
source-class intercepted-web;
/* and source-class redirected-proxy */
destination-port [ 80 3128 ];
}
then {
routing-instance to-proxy;
count intercepted-web;
}
}
term for-mail-wallgarden {
from {
source-class intercepted-mail;
/* and source-class redirected-wallgarden */
destination-port 25;
}
then {
routing-instance to-rblsmtp;
count intercepted-mail;
}
}
term for-web-wallgarden {
from {
source-class intercepted-web;
/* and source-class redirected-wallgarden */
destination-port [ 80 3128 ];
}
then {
routing-instance to-proxy;
count intercepted-web;
}
}
term default {
then {
accept;
}
}
}
}
routing-instance {
to-proxy {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.2.3.4;
}
}
}
to-rblsmtp {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.3.4.5;
}
}
}
to-wallgarden {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 3.4.5.6;
}
}
}
}
The firewall may need some 'accept' at the end of each them - and much
more :)
I can not see any way around it as it seems I can not create one filter
from another like you can do with policy-statement. (not tested neither,
just here to try to be clear - which I am bad at ...).
policy-statement not-intercepted-web {
term source {
from {
source-class intercepted-web;
}
then {
reject;
}
}
term default {
accept;
}
}
policy-statement not-redirected-wallgarden {
term destination {
from {
source-class redirected-wallgarden;
}
then {
reject;
}
}
term default {
accept;
}
}
policy-statement web-to-wallgarden {
term source {
from {
policy not-intercepted-web;
}
then {
reject;
}
}
term destination {
from {
policy not-redirected-wallgarden;
}
then {
reject;
}
}
term default {
accept;
}
}
Thomas
--
Thomas Mangin
Exa Networks - AS30740
Office # : +448451451234 Inoc-DBA # : 30740*TOM
website : www.exa-networks.co.uk nic-handle : MANG-RIPE
PGP key : /pgp.html GPG key ID : 0xFB8B81A1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20061109/04f8d5a2/attachment.bin
More information about the juniper-nsp
mailing list