[j-nsp] Quick SRX host-inbound Question

Hugo Slabbert hugo at slabnet.com
Tue Nov 17 13:13:56 EST 2015

On Tue 2015-Nov-17 17:52:11 +0000, Wayne Lee via juniper-nsp <juniper-nsp at puck.nether.net> wrote:

>> I thought you could create your own "service" and apply ports to that
>> specifically
>> I'm running into an issue where I don't want to allow-all on the
>> host-inbound but I do need a fair amount of unlisted ports to still
>> maintain access.
>> Does anyone remember if this is possible.  Still sorting through
>> documentation to validate my memory.
>> Thank you,
>> Yes you can configure a custom application and application-set with your
>port ranges and apply that to a policy.

That's for security policy, not host-inbound-traffic.  For 
host-inbound-traffic, you are limited to the pre-configured system-services 
and protocols made available by JunOS:


If you want to allow something to the RE that's not listed in there, you'd 
have to allow all and then filter it down with a stateless filter on the 
loopback in the relevant routing-instance to control traffic to the RE, as 

But: host-inbound-traffic is for traffic destined for the RE, meaning 
services or protocols running on the RE.  What unlisted ports are you 
talking about that are for services/protocols running on the RE but which 
are not available under host-inbound-traffic under either system-services 
or protocols?

If you're talking about traffic transiting the SRX, then yes: custom 
application and/or application-set definitions + security policies would be 
your weapon of choice.  Note that you can be exposing absolutely *zero* 
services or protocols under host-inbound-traffic while still allowing 
through anything else you want in terms of transit traffic via security 



hugo at slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on Signal)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20151117/bf1d3470/attachment.sig>

More information about the juniper-nsp mailing list