[j-nsp] NTP Reflection

[Per Granath]

# show policy-options
policy-options {
   prefix-list lo0.0-inet-address {
      apply-path "interfaces lo0 unit 0 family inet address <*>";
   }
   prefix-list ntp-servers {
      apply-path "system ntp server <*>";
   }
}


# show firewall
firewall {
   family inet {
      filter protect_RE {
         term NTP {
            from {
               source-prefix-list {
                  ntp-servers;
                  lo0.0-inet-address;
              }
           protocol udp;
           port ntp;
           }
          then accept;
    }
}
bla
bla
bla


-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams
Sent: Tuesday, January 14, 2014 4:19 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] NTP Reflection

Once upon a time, Olivier Benghozi <olivier.benghozi at wifirst.fr> said:
> Because if you don't do it, you'll obtain some nice "Server Timeout" if you want to issue a "show ntp status" or "show ntp associations".
> So:
> - Junos doesn't use 127.0.0.1 to locally communicate with ntpd
> - In you filters you're obliged to manually authorize internal private 
> IP traffic used by the CLI and that doesn't even leave the RE
> 
> Another fine design...

Seems like a good case for a commit script to auto-build the filter rule from configured NTP servers and configured loopback addresses.
--
Chris Adams <cma at cmadams.net>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp