[j-nsp] Meaning of "except" in firewall filters

Thu Oct 30 09:10:25 EDT 2008

Hi all,

Note the difference between accept and except...

accept will permit the traffic associated with the named prefix list.

except will deny the traffic associated with the named prefix list but
permit all others.

So...

If you wish to permit a big block but deny a small block from the
middle, you could have the following...

term restrict-ssh {
  from {
    source-prefix-list {
      big-list;
      small-list-in-the-middle-of-big-list except;
    }
  }
  then accept;
}

Rgds,

Guy

2008/10/30 Alexandre Snarskii <snar at snar.spb.ru>:
> On Wed, Oct 29, 2008 at 11:24:36PM +0100, Tore Anderson wrote:
>> Hi,
>>
>> I'm trying to restrict SSH access on some of my routers to allow
>> connections from just a few known source networks (defined in a prefix
>> list called "ssh-allowed").  I then came up with the following, and
>> applied it as an input filter on lo0.0:
>
> you should add 0.0.0.0/0 as matching entry, and then your ssh-allowed
> host will be excepted :)
>
> Like that:
>
>>
>> [edit firewall filter lo0-input]
>> term restrict-ssh {
>>     from {
>>         source-prefix-list {
>
>              0.0.0.0/0;
>>             ssh-allowed except;
>>         }
>>         protocol tcp;
>>         destination-port ssh;
>>     }
>>     then {
>>         syslog;
>>         reject;
>>     }
>> }
>> term fallthrough {
>>     then accept;
>> }
>>
>> This didn't work as expected, SSH connections was still allowed from any
>> host (both from inside networks found inside ssh-allowed as well as from
>> outside).  It seems like the restrict-ssh term never matched.
>>
>> If I removed the "except", it worked as I would have thought -
>> connections from hosts inside prefixes found in the ssh-allowed prefix
>> list was denied, while connections from the rest of the internet was
>> allowed.  Of course, this is the opposite behaviour of what I want.
>>
>> I can work around it by making first a term that accepts SSH from the
>> known prefixes, then another term that rejects all other SSH
>> connections, and finally the fallthrough that accepts the rest.  However
>> this behaviour made me really curious...  Isn't "except" supposed to
>> invert the logic of the match?  That's how I understand the help text,
>> at least:
>>
>>     except               Match addresses not in this prefix list
>>
>> It doesn't seem to work that way, though.  Does anyone know how it's
>> supposed to be used?
>>
>> Regards
>> --
>> Tore Anderson
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>