[j-nsp] MX480 RE-S-2000 IGMP flood
Saku Ytti
saku at ytti.fi
Sat Feb 1 03:24:30 EST 2014
On (2014-02-01 11:16 +0400), Misak Khachatryan wrote:
> Should I write filters specific for each lo and routing instance
> unit or lo0.0 is catch all for everything?
I recommend applying same filter in each loopback. Security posture of VPN is
mostly same as INET, except source address is not to be trusted (there may be
INET behind customer VPN and you may not know how it's managed)
Critically make sure you verify destination address in firewall filter
especially for non-customer protocols like ssh, http, snmp, ntp, igp etc.
--
++ytti
More information about the juniper-nsp
mailing list