[j-nsp] Problem with firewall m-series
Truman Boyes
truman at suspicious.org
Tue Jul 28 10:20:07 EDT 2009
Hi Tom,
Sometimes having double negatives in firewall terms is hard to read,
but I understand what you are trying to do with the "except" matches.
Here is a simple way to do it with 3 terms:
[edit firewall family inet filter tdb-foo]
lab at malaka# show
term 1 {
from {
source-address {
192.168.100.0/23;
}
protocol tcp;
destination-port 8935;
}
then accept;
}
term 2 {
from {
source-address {
192.168.100.0/23;
}
}
then {
discard;
}
}
term 3 {
then accept;
}
On 28/07/2009, at 9:40 AM, Tom Mayer wrote:
> Hi,
>
> I just started with an m10 and setting up some firewall rules.
>
> I know that default deny and permitting each individual service
> seems the best way to go. But my problem is the following filter:
>
>
> term 1 {
> from {
> destination-address {
> 192.168.100.0/23;
> }
> protocol-except tcp;
> destination-port-except 8935;
> }
> then {
> discard;
> }
> }
> term 2 {
> then accept;
> }
>
>
> I want on this link subnet 192.168.100.0/23 only tcp traffic on port
> 8935 allowed.
> On all other subnets, any traffic should be allowed.
>
> It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is
> allowed when applied this filter.
>
>
> May anybody tell me the right syntax for: "traffic to
> 192.168.100.0/23, only tcp on port 8935 allowed. everything else for
> this destination is discarded. everything else on this link is
> allowed."
> I am applying the filter on the downlink interface as output.
>
>
>
> Thanks, Tom
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list