[j-nsp] Using routing policy in firewall filters

Eric Van Tol eric at atlantech.net
Fri Jul 11 14:28:30 EDT 2008


> Isn't it enough for you to enable unicat reverse path verify on the
> routers so that clients can't spoof packets ?

The issue does not seem to be client spoofing, but the "internet" spoofing his clients' addresses.  I'm not sure uRPF would work in this case, since he's multihomed.  He could check the entries against a filter, but it's my understanding that he's trying to prevent having to update multiple prefix-lists whenever a new customer is provisioned.  If that's wrong, David, please correct me.

I *believe* what he is looking for can be accomplished with SCU/DCU.  I know certain firewall filter functions can be accomplished by use of routing policy by using DCU.  Here's an old example of how to police traffic to a specific AS using DCU.  I've never actually tried this, so YMMV.  I imagine a similar setup could be done with the use of communities instead of AS paths and changing the policer terminator to a discard:

policy-statement dcu {
    term t1 {
        from as-path orig1;
        then destination-class orig1;
    }
 }

[edit routing-options forwarding-table]
export dcu;

[edit firewall family inet filter f1]
term t1 {
    from {
        destination-class orig1;
   }
    then {
        policer policer1;
    }
}
term default {
    then accept;
}


More information about the juniper-nsp mailing list