[j-nsp] Firewall filter for locally generated packets

Stefan Fouant sfouant at gmail.com
Thu Mar 27 13:24:29 EDT 2008 

You could always specify the sourcing interface as opposed to the
source-address, if for example you want to use a standardized configuration
across many devices, as in:

term permit_bootp_install {
    from {
        interface lo0.0;
        }
        protocol udp;
        destination-port [ 67 68 ];
    }
}

HTHs.

Stefan Fouant

On Thu, Mar 27, 2008 at 12:33 PM, Ian MacKinnon <ian.mackinnon at lumison.net>
wrote:

> Hi all,
>
> I am doing some work with PXE-booting of servers and using bootp helpers
> to get to the dhcp server.
>
> All working fine so far.
>
> However the dhcp response back to the server appears to be coming from
> the local interface directly, and our standard firewalling is dropping it.
>
> I can open the firewall to allow all udp 67/68 packets through,but I
> would rather limit it.
>
> Now I could add the local ip address to the rule, but have have a
> standard set of rules we apply to all interfaces, so if there is some
> way of specifying allow locally generated packets through that would be
> better.
>
> eg
> we have an interface with an ip address like 192.168.0.1/24
> In syslog we see
> Mar 27 16:05:41 my-router-01/my-router-01 /kernel: %FIREWALL-6-FW:
> .local..0    R  udp 192.168.0.1 255.255.255.255    67    68
>
>
> ie the interface name is .local..0 and the source is 192.168.0.1
>
>
> Our firewall rule then looks like :-
> term permit_bootp_install {
>     from {
>         source-address {
>             192.168.0.1/32;
>         }
>         protocol udp;
>         destination-port [ 67 68 ];
>     }
> }
>
>
> But rather than use the source-address what can I use for locally
> generated packets?
>
> Thanks
>
>
> --
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted.  Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison, nplusone or lightershade ltd.
> Finally, the recipient should check this email and any attachments for the
> presence of viruses.  Lumison, nplusone and lightershade ltd accepts no
> liability for any damage caused by any virus transmitted by this email.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list