[j-nsp] Meaning of "except" in firewall filters

Curtis Call ccall at juniper.net
Wed Oct 29 19:39:28 EDT 2008 

Try adding a prefix-list match to the restrict-ssh term which contains a
0/0 route.  I don't think the "except" option is meant to be used in
isolation.

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Tore Anderson
> Sent: Wednesday, October 29, 2008 3:25 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Meaning of "except" in firewall filters
> 
> Hi,
> 
> I'm trying to restrict SSH access on some of my routers to allow
> connections from just a few known source networks (defined in a prefix
> list called "ssh-allowed").  I then came up with the following, and
> applied it as an input filter on lo0.0:
> 
> [edit firewall filter lo0-input]
> term restrict-ssh {
>     from {
>         source-prefix-list {
>             ssh-allowed except;
>         }
>         protocol tcp;
>         destination-port ssh;
>     }
>     then {
>         syslog;
>         reject;
>     }
> }
> term fallthrough {
>     then accept;
> }
> 
> This didn't work as expected, SSH connections was still allowed from
> any host (both from inside networks found inside ssh-allowed as well
as
> from outside).  It seems like the restrict-ssh term never matched.
> 
> If I removed the "except", it worked as I would have thought -
> connections from hosts inside prefixes found in the ssh-allowed prefix
> list was denied, while connections from the rest of the internet was
> allowed.  Of course, this is the opposite behaviour of what I want.
> 
> I can work around it by making first a term that accepts SSH from the
> known prefixes, then another term that rejects all other SSH
> connections, and finally the fallthrough that accepts the rest.
> However this behaviour made me really curious...  Isn't "except"
> supposed to invert the logic of the match?  That's how I understand
the
> help text, at least:
> 
>     except               Match addresses not in this prefix list
> 
> It doesn't seem to work that way, though.  Does anyone know how it's
> supposed to be used?
> 
> Regards
> --
> Tore Anderson
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list