[j-nsp] Meaning of "except" in firewall filters

Alexandre Snarskii snar at snar.spb.ru
Thu Oct 30 08:42:55 EDT 2008


On Wed, Oct 29, 2008 at 11:24:36PM +0100, Tore Anderson wrote:
> Hi,
> 
> I'm trying to restrict SSH access on some of my routers to allow 
> connections from just a few known source networks (defined in a prefix 
> list called "ssh-allowed").  I then came up with the following, and 
> applied it as an input filter on lo0.0:

you should add 0.0.0.0/0 as matching entry, and then your ssh-allowed
host will be excepted :)

Like that:  

> 
> [edit firewall filter lo0-input]
> term restrict-ssh {
>     from {
>         source-prefix-list {

              0.0.0.0/0;
>             ssh-allowed except;
>         }
>         protocol tcp;
>         destination-port ssh;
>     }
>     then {
>         syslog;
>         reject;
>     }
> }
> term fallthrough {
>     then accept;
> }
> 
> This didn't work as expected, SSH connections was still allowed from any 
> host (both from inside networks found inside ssh-allowed as well as from 
> outside).  It seems like the restrict-ssh term never matched.
> 
> If I removed the "except", it worked as I would have thought - 
> connections from hosts inside prefixes found in the ssh-allowed prefix 
> list was denied, while connections from the rest of the internet was 
> allowed.  Of course, this is the opposite behaviour of what I want.
> 
> I can work around it by making first a term that accepts SSH from the 
> known prefixes, then another term that rejects all other SSH 
> connections, and finally the fallthrough that accepts the rest.  However 
> this behaviour made me really curious...  Isn't "except" supposed to 
> invert the logic of the match?  That's how I understand the help text, 
> at least:
> 
>     except               Match addresses not in this prefix list
> 
> It doesn't seem to work that way, though.  Does anyone know how it's 
> supposed to be used?
> 
> Regards 
> -- 
> Tore Anderson
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list