[j-nsp] Filter weirdness - bug?
Eric Van Tol
eric at atlantech.net
Tue Jun 17 12:17:13 EDT 2008
Hi all,
I have some J23xx routers configured with a filter on lo0 and noticed that the filter isn't working as expected. I'm using a variety of JUNOS versions, from 8.4 through 8.5. The issue seems to stem from using a prefix-list with an 'apply-path' specified:
interfaces {
ge-0/0/0 {
enable;
unit 0 {
family inet {
address 10.0.0.10/30;
}
}
}
ls-0/0/0 {
enable;
unit 0 {
encapsulation multilink-ppp;
family inet {
address 10.1.0.10/30;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input access-protect;
}
address 127.0.0.1/32;
}
}
}
}
policy-options {
prefix-list noc {
192.168.0.0/22;
192.168.168.0/24;
}
prefix-list local_nets {
apply-path "interfaces <*> unit 0 family inet address <*>";
}
}
firewall {
family inet {
filter access-protect {
term 0-allow_established {
from {
protocol tcp;
tcp-established;
}
then {
count term-0;
accept;
}
}
term 5-allow_noc {
from {
prefix-list {
noc;
}
destination-port [ 20-22 80 443 161 ];
}
then {
count term-5;
accept;
}
}
term 10-allow_local_nets {
from {
prefix-list {
local_nets;
}
}
then {
count term-10;
log;
accept;
}
}
term 15-icmp_rules {
from {
protocol icmp;
}
then {
count term-15;
accept;
}
}
term 20-allow_dns_ntp {
from {
protocol udp;
source-port [ 53 123 ];
}
then {
count term-20;
accept;
}
}
term 1000-implicit_deny {
then {
count term-1000;
log;
discard;
}
}
}
}
}
user at r1# show policy-options prefix-list local_nets | display inheritance
##
## apply-path was expanded to:
## 10.0.0.8/30;
## 10.1.0.8/30;
## 127.0.0.1/32;
##
apply-path "interfaces <*> unit 0 family inet address <*>";
What happens is that incoming SSH from *any* address hits "term 10-allow_local_nets" and matches. If I take out the prefix-list and put specific source addresses, it works fine. I'd like to know if I've missed something obvious before opening up a JTAC case.
Thanks,
evt
More information about the juniper-nsp
mailing list