[j-nsp] Meaning of "except" in firewall filters
Tore Anderson
tore at linpro.no
Thu Oct 30 12:40:05 EDT 2008
* Tore Anderson
> [edit firewall filter lo0-input]
> term restrict-ssh {
> from {
> source-prefix-list {
> ssh-allowed except;
> }
> protocol tcp;
> destination-port ssh;
> }
> then {
> syslog;
> reject;
> }
> }
> term fallthrough {
> then accept;
> }
>
> This didn't work as expected, SSH connections was still allowed from
> any host (both from inside networks found inside ssh-allowed as well
> as from outside). It seems like the restrict-ssh term never matched.
Thanks to everyone that answered! I needed to add a prefix list with
0.0.0.0/0 _without_ "except" in order to get the desired results, as it
seems by default "0.0.0.0/0 except" is implicitly included and the
presence of another prefix list does not override it - unless that
prefix list also contains 0.0.0.0/0.
For some reason I only got the replies in private mail, not via the
list. I wonder if others saw lots of answers to my mail or not? The
question is in any case answered now; there's no need for further
replies.
Regards,
--
Tore Anderson
More information about the juniper-nsp
mailing list