[j-nsp] EX unsupported filter policer and actions on loopback lo0

Richard A Steenbergen ras at e-gerbil.net
Fri Dec 17 15:02:41 EST 2010

On Fri, Dec 17, 2010 at 02:03:20PM -0500, Jack Damn wrote:
> It's the first time I make use of an EX4200 L3 routing capabilities
> and I find it quite troubling and unacceptable that I can't rate-limit
> nor log/syslog in my lo0 ingress filter.

If it makes you feel any better, you can't actually outright deny the 
traffic either. The packets get dropped by the lo0 filter AFTER they've 
already hit the hard-coded data plane -> control plane rate limits, so 
other than accomplishing tasks like blocking password scanning attacks 
on ssh, the lo0 filters are effectively useless. The only way to protect 
the box is to use real interface ingress filters on every interface, and 
manually specify all the destination addresses that will hit the control 
plane. You can help automate this with commit scripts that build a 
prefix-list of local interfaces. They did just add log/syslog on ingress 
filters in 10.4 too, so thats worth something (not that I'm vouching 
for 10.4 on EX, and I'm completely unvouching for it on MX, R1 is 
totally broken there). :)

Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list