[j-nsp] Meaning of "except" in firewall filters
Tore Anderson
tore at linpro.no
Wed Oct 29 18:24:36 EDT 2008
Hi,
I'm trying to restrict SSH access on some of my routers to allow
connections from just a few known source networks (defined in a prefix
list called "ssh-allowed"). I then came up with the following, and
applied it as an input filter on lo0.0:
[edit firewall filter lo0-input]
term restrict-ssh {
from {
source-prefix-list {
ssh-allowed except;
}
protocol tcp;
destination-port ssh;
}
then {
syslog;
reject;
}
}
term fallthrough {
then accept;
}
This didn't work as expected, SSH connections was still allowed from any
host (both from inside networks found inside ssh-allowed as well as from
outside). It seems like the restrict-ssh term never matched.
If I removed the "except", it worked as I would have thought -
connections from hosts inside prefixes found in the ssh-allowed prefix
list was denied, while connections from the rest of the internet was
allowed. Of course, this is the opposite behaviour of what I want.
I can work around it by making first a term that accepts SSH from the
known prefixes, then another term that rejects all other SSH
connections, and finally the fallthrough that accepts the rest. However
this behaviour made me really curious... Isn't "except" supposed to
invert the logic of the match? That's how I understand the help text,
at least:
except Match addresses not in this prefix list
It doesn't seem to work that way, though. Does anyone know how it's
supposed to be used?
Regards
--
Tore Anderson
More information about the juniper-nsp
mailing list