[j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7

Alex Arseniev alex.arseniev at gmail.com
Tue Jan 21 05:08:11 EST 2014


You should be able to do negative match on interface-group:

1/ mark all other interfaces with interface-group:
set interfaces xe-0/0/0.0 family inet filter group 100

2/ match on interface-group-except in lo0.0 FW filter
set firewall family inet filter RE-PROTECT term 1 from 
interface-group-except 100

(1) can be done with configuration-groups, i.e.
set group ALL-ETHS interfaces <[xg]e-*> unit <*> family inet filter 
group 100

I have this successfully working in customer's production since Q3 2009.
It does stop spoofed src.ip attacks if spoofed packets are coming from 
interface other than fxp0.0.
Thanks
Alex


On 21/01/2014 01:35, Tore Anderson wrote:
> This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially
> if you don't have easy access to the serial console, but only a firewall
> term such as:
>
> term allow-oob-management {
>      from {
>          interface fxp0.0;
>      }
>      then accept;
> }
>
> ...in your lo0.0 input filter (which presumably then goes on to drop all
> unmatched traffic): It simply doesn't work.
>
> I've confirmed on both MX80 and MX240, several times. After a reboot,
> the term just gets skipped, it seems. Deactivating the term, committing,
> and then reactivating it fixes the problem but that might of course be
> easier said than done if locked out of the box.
>
> Terms doing source-address matches seems to work fine.
>
> Tore
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list