[j-nsp] Meaning of "except" in firewall filters
Alexandre Snarskii
snar at snar.spb.ru
Thu Oct 30 08:42:55 EDT 2008
On Wed, Oct 29, 2008 at 11:24:36PM +0100, Tore Anderson wrote:
> Hi,
>
> I'm trying to restrict SSH access on some of my routers to allow
> connections from just a few known source networks (defined in a prefix
> list called "ssh-allowed"). I then came up with the following, and
> applied it as an input filter on lo0.0:
you should add 0.0.0.0/0 as matching entry, and then your ssh-allowed
host will be excepted :)
Like that:
>
> [edit firewall filter lo0-input]
> term restrict-ssh {
> from {
> source-prefix-list {
0.0.0.0/0;
> ssh-allowed except;
> }
> protocol tcp;
> destination-port ssh;
> }
> then {
> syslog;
> reject;
> }
> }
> term fallthrough {
> then accept;
> }
>
> This didn't work as expected, SSH connections was still allowed from any
> host (both from inside networks found inside ssh-allowed as well as from
> outside). It seems like the restrict-ssh term never matched.
>
> If I removed the "except", it worked as I would have thought -
> connections from hosts inside prefixes found in the ssh-allowed prefix
> list was denied, while connections from the rest of the internet was
> allowed. Of course, this is the opposite behaviour of what I want.
>
> I can work around it by making first a term that accepts SSH from the
> known prefixes, then another term that rejects all other SSH
> connections, and finally the fallthrough that accepts the rest. However
> this behaviour made me really curious... Isn't "except" supposed to
> invert the logic of the match? That's how I understand the help text,
> at least:
>
> except Match addresses not in this prefix list
>
> It doesn't seem to work that way, though. Does anyone know how it's
> supposed to be used?
>
> Regards
> --
> Tore Anderson
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list