[j-nsp] Firewall filter for locally generated packets
Ian MacKinnon
ian.mackinnon at lumison.net
Fri Mar 28 04:26:25 EDT 2008
Hi Stefan,
Thanks for that, that is exactly what I was looking for, will give it a try.
Stefan Fouant wrote:
> You could always specify the sourcing interface as opposed to the
> source-address, if for example you want to use a standardized
> configuration across many devices, as in:
>
> term permit_bootp_install {
> from {
> interface lo0.0;
> }
> protocol udp;
> destination-port [ 67 68 ];
> }
> }
> HTHs.
> Stefan Fouant
> On Thu, Mar 27, 2008 at 12:33 PM, Ian MacKinnon
> <ian.mackinnon at lumison.net <mailto:ian.mackinnon at lumison.net>> wrote:
>
> Hi all,
>
> I am doing some work with PXE-booting of servers and using bootp helpers
> to get to the dhcp server.
>
> All working fine so far.
>
> However the dhcp response back to the server appears to be coming from
> the local interface directly, and our standard firewalling is
> dropping it.
>
> I can open the firewall to allow all udp 67/68 packets through,but I
> would rather limit it.
>
> Now I could add the local ip address to the rule, but have have a
> standard set of rules we apply to all interfaces, so if there is some
> way of specifying allow locally generated packets through that would be
> better.
>
> eg
> we have an interface with an ip address like 192.168.0.1/24
> <http://192.168.0.1/24>
> In syslog we see
> Mar 27 16:05:41 my-router-01/my-router-01 /kernel: %FIREWALL-6-FW:
> .local..0 R udp 192.168.0.1 <http://192.168.0.1/> 255.255.255.255
> <http://255.255.255.255/> 67 68
>
>
> ie the interface name is .local..0 and the source is 192.168.0.1
> <http://192.168.0.1/>
>
>
> Our firewall rule then looks like :-
> term permit_bootp_install {
> from {
> source-address {
> 192.168.0.1/32 <http://192.168.0.1/32>;
> }
> protocol udp;
> destination-port [ 67 68 ];
> }
> }
>
>
> But rather than use the source-address what can I use for locally
> generated packets?
>
> Thanks
>
>
> --
>
> This email and any files transmitted with it are confidential and
> intended
> solely for the use of the individual or entity to whom they are
> addressed.
> If you have received this email in error please notify the sender. Any
> offers or quotation of service are subject to formal specification.
> Errors and omissions excepted. Please note that any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Lumison, nplusone or lightershade ltd.
> Finally, the recipient should check this email and any attachments
> for the
> presence of viruses. Lumison, nplusone and lightershade ltd accepts no
> liability for any damage caused by any virus transmitted by this email.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
--
Ian MacKinnon
Lumison
t: 0845 1199 900
d: 0131 514 4055
P.S. It's a hat-trick - Lumison have been nominated for best business
broadband, best email and best VoIP provider for the 2008 ISPAs
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison, nplusone or lightershade ltd.
Finally, the recipient should check this email and any attachments for the
presence of viruses. Lumison, nplusone and lightershade ltd accepts no
liability for any damage caused by any virus transmitted by this email.
More information about the juniper-nsp
mailing list