[j-nsp] Problem with firewall m-series

Wed Jul 29 05:10:19 EDT 2009

2009/7/28 Tom Mayer <wellknown at gmx.net>:
> It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is allowed
> when applied this filter.

There have already been a couple of examples of the correct way to do
this but they didn't explain why your filter didn't work...

The terms in the from clause all have to match.

Your filter translates as "traffic to 192.168.100.0/23 AND not tcp AND
not port 8935"

Your UDP traffic *is* on port 8935 and so the term does not match.

The filter below illustrates how to rewrite your filter using except
matches.  This is just an illustration and I wouldn't recommend using
it in practice as the previously given examples are easier to read.

term 1 {
   from {
       destination-address {
           192.168.100.0/23;
       }
       protocol-except tcp;
   }
   then discard;
}
term 2 {
   from {
       destination-address {
           192.168.100.0/23;
       }
       protocol tcp;
       destination-port-except 8935;
   }
   then {
       discard;
   }
}
term 3 {
   then accept;
}

-- 
Russell Heilling                        http://perlmonkey.blogspot.com
"The amazing ability of the bee to adapt herself often helps the
 beekeeper to overcome the results of his ignorance." - Brother Adam