[j-nsp] Using routing policy in firewall filters
David Ball
davidtball at gmail.com
Fri Jul 11 13:14:17 EDT 2008
I'm worried more about people on the internet spoofing my customer
space INbound into our network. We have multihomed customers whose
space would need to be allowed to be sourced from the internet, but
most of our customers space should only be sourced from inside our
network.
David
On 11/07/2008, Eugeniu Patrascu <eugen at imacandi.net> wrote:
> David Ball wrote:
>> Hey folks. They say the definition of insanity is repeating the
>> same thing over and over and expecting different results, and again I
>> found myself trying to use routing policy in a firewall filter,
>> unsuccessfully.
>> We have 4 upstream ISPs, 2 on 1 router and 2 on another. Until now
>> we've had to maintain large prefix-lists including all customer blocks
>> on both routers such that they can be applied to firewall filters to
>> perform anti-spoofing. I'm trying to find a way to simplify this,
>> such that if my provisioning guys add a new customer who has their own
>> block, the anti-spoofing rules filtering inbound internet traffic will
>> allow it.
>> What are other folks doing? Prefix-list maintenance is the only way
>> ? I get the feeling this question has been asked before, but I
>> couldn't find it.
>>
> Isn't it enough for you to enable unicat reverse path verify on the
> routers so that clients can't spoof packets ?
>
More information about the juniper-nsp
mailing list