[j-nsp] Problem with firewall m-series

Chris Kawchuk juniperdude at gmail.com
Tue Jul 28 10:05:08 EDT 2009


Hi Tom,

Try this:

term 1 {
	from {
		destination-address {
			192.168.100.0/23;
			}
		protocol tcp;
		destination port 8935;
		}
	then {
		count good-traffic-to-192-168-100-0-23;
		accept;
	}
}

term 2 {
	from {
		destination-address {
			192.168.100.0/23;
			}
		}
	then {
		count bad-packet-going-to-192-168-100-0-23;
		log;
		reject;
		}
}

term 3 {
	then {
		accept;
	}
}

First of all, match the traffic you want to allow, and let it through.  
Then, match any other traffic going to that subnet and reject it,  
3rdly, allow all other traffic. The terms are evaluated "in order".

- Chris.


On 28-Jul-09, at 7:40 AM, Tom Mayer wrote:

> Hi,
>
> I just started with an m10 and setting up some firewall rules.
>
> I know that default deny and permitting each individual service  
> seems the best way to go. But my problem is the following filter:
>
>
> term 1 {
>   from {
>       destination-address {
>           192.168.100.0/23;
>       }
>       protocol-except tcp;
>       destination-port-except 8935;
>   }
>   then {
>       discard;
>   }
> }
> term 2 {
>   then accept;
> }
>
>
> I want on this link subnet 192.168.100.0/23 only tcp traffic on port  
> 8935 allowed.
> On all other subnets, any traffic should be allowed.
>
> It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is  
> allowed when applied this filter.
>
>
> May anybody tell me the right syntax for:  "traffic to  
> 192.168.100.0/23, only tcp on port 8935 allowed. everything else for  
> this destination is discarded. everything else on this link is  
> allowed."
> I am applying the filter on the downlink interface as output.
>
>
>
> Thanks, Tom
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list