[j-nsp] Meaning of "except" in firewall filters
Curtis Call
ccall at juniper.net
Wed Oct 29 19:39:28 EDT 2008
Try adding a prefix-list match to the restrict-ssh term which contains a
0/0 route. I don't think the "except" option is meant to be used in
isolation.
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Tore Anderson
> Sent: Wednesday, October 29, 2008 3:25 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Meaning of "except" in firewall filters
>
> Hi,
>
> I'm trying to restrict SSH access on some of my routers to allow
> connections from just a few known source networks (defined in a prefix
> list called "ssh-allowed"). I then came up with the following, and
> applied it as an input filter on lo0.0:
>
> [edit firewall filter lo0-input]
> term restrict-ssh {
> from {
> source-prefix-list {
> ssh-allowed except;
> }
> protocol tcp;
> destination-port ssh;
> }
> then {
> syslog;
> reject;
> }
> }
> term fallthrough {
> then accept;
> }
>
> This didn't work as expected, SSH connections was still allowed from
> any host (both from inside networks found inside ssh-allowed as well
as
> from outside). It seems like the restrict-ssh term never matched.
>
> If I removed the "except", it worked as I would have thought -
> connections from hosts inside prefixes found in the ssh-allowed prefix
> list was denied, while connections from the rest of the internet was
> allowed. Of course, this is the opposite behaviour of what I want.
>
> I can work around it by making first a term that accepts SSH from the
> known prefixes, then another term that rejects all other SSH
> connections, and finally the fallthrough that accepts the rest.
> However this behaviour made me really curious... Isn't "except"
> supposed to invert the logic of the match? That's how I understand
the
> help text, at least:
>
> except Match addresses not in this prefix list
>
> It doesn't seem to work that way, though. Does anyone know how it's
> supposed to be used?
>
> Regards
> --
> Tore Anderson
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list