[j-nsp] juniper-nsp Digest, Vol 55, Issue 33

Michael Dupuis mdupuis at nortel.com
Wed Jun 27 16:42:13 EDT 2007


 consider using another term...

term allow-established {
    from {
        tcp-established;
    }
    then accept;
}

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of David Ball
Sent: Wednesday, June 27, 2007 3:42 PM
To: Kanagaraj Krishna
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] juniper-nsp Digest, Vol 55, Issue 33

   It very likely IS allowing OUTgoing telnet, even without the
adjustment in your filter.  The problem is, it's not allowing the
response from the (assumed) web server in the INbound direction, hence
your need for the allowance in your input filter.

David


On 6/27/07, Kanagaraj Krishna <kanagaraj at aims.com.my> wrote:
> Hi,
>    I've applied an input filter (hardening) to protect the routing
engine of
> an m7i by applying it on the loopback IP. Refer to the config below.
The
> issue
> is that, we can't telnet port:80 to any external IP from the box
itself.
> Obviously I've not allowed access to port 80 on my box in the input
filter
> but
> why would it affect the outgoing telnet. I tried allowing port 80
access on
> the input filter and after that the outgoing telnet works. Anyone
facing the
> same issue?
>
> Regards,
> Kana
>
>
> lo0 {
>         unit 0 {
>             family inet {
>                 filter {
>                     input protect-RE;
>                 }
>                 address xxx.xxx.xxx.xxx/32;
>             }
>         }
>     }
>
> firewall {
>      filter protect-RE {
> ---config omitted----
>
>          term telnet {
>             from {
>                 protocol tcp;
>                 port telnet;
>             }
>             then {
>                 policer telnet-policer;
>                 accept;
>             }
>          }
>
> ---config omitted----
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list