[j-nsp] "ping: sendto: Operation not permitted" in LAN
Saku Ytti
saku at ytti.fi
Fri Aug 19 04:29:56 EDT 2011
On (2011-08-18 21:23 -0400), Stefan Fouant wrote:
> Trio has nothing to do with this - the behavior when matching on a
> port is completely different than using the bit-field match
> operators. Even without Trio, if you specify a match on a port
> without protocol, it will look in the appropriate locations
> depending on whether the traffic is TCP or UDP. That is not the
> case with bit-field match operators.
>
> See http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html#jd0e29000
Thanks for clearing that up. However if 'port' assumes implied udp/tcp (instead
of just finding port values in predefined offset, regardless of protocol) why
doesn't 'tcp-established' assume implied tcp? Is there any useful application
behind this inconsistency?
Also do you have access internally to information which you are able to share,
when would JunOS CLI get 'match protocol udp|tcp|icmp' for ipv6? So users
could, in existance of extension headers still match for L4 protocol?
Thanks again,
--
++ytti
More information about the juniper-nsp
mailing list