[j-nsp] Using routing policy in firewall filters
David Ball
davidtball at gmail.com
Fri Jul 11 14:56:31 EDT 2008
Thanks Eric. I believe that IS in fact what I'm looking for, and
at first glance, I think I can certainly adapt your example to my
situation. Will investigate further. thanks to the others as well,
who mentioned uRPF, which I have been planning to apply to my cust
interfaces.
David
On 11/07/2008, Eric Van Tol <eric at atlantech.net> wrote:
>> Isn't it enough for you to enable unicat reverse path verify on the
>> routers so that clients can't spoof packets ?
>
> The issue does not seem to be client spoofing, but the "internet" spoofing
> his clients' addresses. I'm not sure uRPF would work in this case, since
> he's multihomed. He could check the entries against a filter, but it's my
> understanding that he's trying to prevent having to update multiple
> prefix-lists whenever a new customer is provisioned. If that's wrong,
> David, please correct me.
>
> I *believe* what he is looking for can be accomplished with SCU/DCU. I know
> certain firewall filter functions can be accomplished by use of routing
> policy by using DCU. Here's an old example of how to police traffic to a
> specific AS using DCU. I've never actually tried this, so YMMV. I imagine
> a similar setup could be done with the use of communities instead of AS
> paths and changing the policer terminator to a discard:
>
> policy-statement dcu {
> term t1 {
> from as-path orig1;
> then destination-class orig1;
> }
> }
>
> [edit routing-options forwarding-table]
> export dcu;
>
> [edit firewall family inet filter f1]
> term t1 {
> from {
> destination-class orig1;
> }
> then {
> policer policer1;
> }
> }
> term default {
> then accept;
> }
>
More information about the juniper-nsp
mailing list