[j-nsp] Using routing policy in firewall filters
Eugeniu Patrascu
eugen at imacandi.net
Fri Jul 11 13:04:07 EDT 2008
David Ball wrote:
> Hey folks. They say the definition of insanity is repeating the
> same thing over and over and expecting different results, and again I
> found myself trying to use routing policy in a firewall filter,
> unsuccessfully.
> We have 4 upstream ISPs, 2 on 1 router and 2 on another. Until now
> we've had to maintain large prefix-lists including all customer blocks
> on both routers such that they can be applied to firewall filters to
> perform anti-spoofing. I'm trying to find a way to simplify this,
> such that if my provisioning guys add a new customer who has their own
> block, the anti-spoofing rules filtering inbound internet traffic will
> allow it.
> What are other folks doing? Prefix-list maintenance is the only way
> ? I get the feeling this question has been asked before, but I
> couldn't find it.
>
Isn't it enough for you to enable unicat reverse path verify on the
routers so that clients can't spoof packets ?
More information about the juniper-nsp
mailing list