[j-nsp] EX unsupported filter policer and actions on loopback lo0
Richard A Steenbergen
ras at e-gerbil.net
Fri Dec 17 15:02:41 EST 2010
On Fri, Dec 17, 2010 at 02:03:20PM -0500, Jack Damn wrote:
> It's the first time I make use of an EX4200 L3 routing capabilities
> and I find it quite troubling and unacceptable that I can't rate-limit
> nor log/syslog in my lo0 ingress filter.
If it makes you feel any better, you can't actually outright deny the
traffic either. The packets get dropped by the lo0 filter AFTER they've
already hit the hard-coded data plane -> control plane rate limits, so
other than accomplishing tasks like blocking password scanning attacks
on ssh, the lo0 filters are effectively useless. The only way to protect
the box is to use real interface ingress filters on every interface, and
manually specify all the destination addresses that will hit the control
plane. You can help automate this with commit scripts that build a
prefix-list of local interfaces. They did just add log/syslog on ingress
filters in 10.4 too, so thats worth something (not that I'm vouching
for 10.4 on EX, and I'm completely unvouching for it on MX, R1 is
totally broken there). :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list