[j-nsp] Firewall filter using a prefix-list, not updating
Saku Ytti
saku at ytti.fi
Mon Mar 5 10:25:48 EST 2012
On (2012-03-05 10:13 -0500), Adam Leff wrote:
> next-header tcp;
> destination-port ssh;
Bear in mind that you cannot use these in 'deny' context for security
purposes, as bypassing them is as trivial as adding extension header
between TCP and IPv6.
So maybe you're stopping your DSL users from spamming by allowing TCP/25 to
your SMTPd and then denying other TCP/25 then allowing rest. This should
not be done in JunOS in IPv6, as it can be easily bypassed. Or any other
situation, where you deny something and permit later rest.
Trio at least could do this correctly, and find TCP headers after extension
headers, and infact it does, but there just isn't CLI way to build firewall
matches like that today.
--
++ytti
More information about the juniper-nsp
mailing list