[j-nsp] Firewall filter for locally generated packets
Stefan Fouant
sfouant at gmail.com
Thu Mar 27 13:24:29 EDT 2008
You could always specify the sourcing interface as opposed to the
source-address, if for example you want to use a standardized configuration
across many devices, as in:
term permit_bootp_install {
from {
interface lo0.0;
}
protocol udp;
destination-port [ 67 68 ];
}
}
HTHs.
Stefan Fouant
On Thu, Mar 27, 2008 at 12:33 PM, Ian MacKinnon <ian.mackinnon at lumison.net>
wrote:
> Hi all,
>
> I am doing some work with PXE-booting of servers and using bootp helpers
> to get to the dhcp server.
>
> All working fine so far.
>
> However the dhcp response back to the server appears to be coming from
> the local interface directly, and our standard firewalling is dropping it.
>
> I can open the firewall to allow all udp 67/68 packets through,but I
> would rather limit it.
>
> Now I could add the local ip address to the rule, but have have a
> standard set of rules we apply to all interfaces, so if there is some
> way of specifying allow locally generated packets through that would be
> better.
>
> eg
> we have an interface with an ip address like 192.168.0.1/24
> In syslog we see
> Mar 27 16:05:41 my-router-01/my-router-01 /kernel: %FIREWALL-6-FW:
> .local..0 R udp 192.168.0.1 255.255.255.255 67 68
>
>
> ie the interface name is .local..0 and the source is 192.168.0.1
>
>
> Our firewall rule then looks like :-
> term permit_bootp_install {
> from {
> source-address {
> 192.168.0.1/32;
> }
> protocol udp;
> destination-port [ 67 68 ];
> }
> }
>
>
> But rather than use the source-address what can I use for locally
> generated packets?
>
> Thanks
>
>
> --
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison, nplusone or lightershade ltd.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses. Lumison, nplusone and lightershade ltd accepts no
> liability for any damage caused by any virus transmitted by this email.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list