[j-nsp] EX4200-24f lo0 filter

Stefan Fouant sfouant at shortestpathfirst.net
Fri Jan 29 15:22:09 EST 2010

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Richard A Steenbergen
> Sent: Friday, January 29, 2010 4:42 AM
> In the early versions of EX code (9.2) the loopback filters were
> totally
> non-functional, leaving the box exposed to even simple things like ssh
> access to the device (guess they never added tcp wrappers to junos
> because the assumption was firewalling would take care of it :P).
> They've been slowly adding more features with each new version of code,
> and the last time I looked (9.6, though I think 10.0 is the same thing)
> you could finally do lo0 filtering, but you couldn't police, log,
> sample, count, etc. I think there are a lot more missing firewall
> features on the roadmap for 10.1/10.2 though, so you might want to keep
> an eye out for those. IMHO the current EX loopback firewall
> functionality is not currently sufficient for real use (policers are
> kinda important :P).

Although it seems they've been adding important things like logging and
support for prefix-lists in later releases, I'm still dismayed that it
doesn't appear simple things like just configuring a match condition of
'from port xxx' can be configured.  The only options appear to be 'from
source-port xxx' or 'from destination-port xxx', which for things like BGP
requires a total of 2 terms to accommodate bidirectional communications and
ensure that BGP will be allowed in the event that either side initiates the
connection (assuming 'passive' or 'active' options haven't been configured).

Still waiting for the Juniper 1-1-1 vision of one OS to be fully realized...

Stefan Fouant, CISSP, JNCIE-M/T
GPG Key ID: 0xB5E3803D

More information about the juniper-nsp mailing list