[j-nsp] Problem with firewall m-series

Truman Boyes truman at suspicious.org
Tue Jul 28 10:20:07 EDT 2009


Hi Tom,

Sometimes having double negatives in firewall terms is hard to read,  
but I understand what you are trying to do with the "except" matches.  
Here is a simple way to do it with 3 terms:


[edit firewall family inet filter tdb-foo]
lab at malaka# show
term 1 {
     from {
         source-address {
             192.168.100.0/23;
         }
         protocol tcp;
         destination-port 8935;
     }
     then accept;
}
term 2 {
     from {
         source-address {
             192.168.100.0/23;
         }
     }
     then {
         discard;
     }
}
term 3 {
     then accept;
}

On 28/07/2009, at 9:40 AM, Tom Mayer wrote:

> Hi,
>
> I just started with an m10 and setting up some firewall rules.
>
> I know that default deny and permitting each individual service  
> seems the best way to go. But my problem is the following filter:
>
>
> term 1 {
>   from {
>       destination-address {
>           192.168.100.0/23;
>       }
>       protocol-except tcp;
>       destination-port-except 8935;
>   }
>   then {
>       discard;
>   }
> }
> term 2 {
>   then accept;
> }
>
>
> I want on this link subnet 192.168.100.0/23 only tcp traffic on port  
> 8935 allowed.
> On all other subnets, any traffic should be allowed.
>
> It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is  
> allowed when applied this filter.
>
>
> May anybody tell me the right syntax for:  "traffic to  
> 192.168.100.0/23, only tcp on port 8935 allowed. everything else for  
> this destination is discarded. everything else on this link is  
> allowed."
> I am applying the filter on the downlink interface as output.
>
>
>
> Thanks, Tom
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list