[j-nsp] Quick SRX host-inbound Question
mgehrmann at atlassian.com
Tue Nov 17 17:03:46 EST 2015
You might have better luck with the junos-host zone.
On 18 November 2015 at 05:13, Hugo Slabbert <hugo at slabnet.com> wrote:
> On Tue 2015-Nov-17 17:52:11 +0000, Wayne Lee via juniper-nsp <
> juniper-nsp at puck.nether.net> wrote:
> I thought you could create your own "service" and apply ports to that
>>> I'm running into an issue where I don't want to allow-all on the
>>> host-inbound but I do need a fair amount of unlisted ports to still
>>> maintain access.
>>> Does anyone remember if this is possible. Still sorting through
>>> documentation to validate my memory.
>>> Thank you,
>>> Yes you can configure a custom application and application-set with your
>> port ranges and apply that to a policy.
> That's for security policy, not host-inbound-traffic. For
> host-inbound-traffic, you are limited to the pre-configured system-services
> and protocols made available by JunOS:
> If you want to allow something to the RE that's not listed in there, you'd
> have to allow all and then filter it down with a stateless filter on the
> loopback in the relevant routing-instance to control traffic to the RE, as
> But: host-inbound-traffic is for traffic destined for the RE, meaning
> services or protocols running on the RE. What unlisted ports are you
> talking about that are for services/protocols running on the RE but which
> are not available under host-inbound-traffic under either system-services
> or protocols?
> If you're talking about traffic transiting the SRX, then yes: custom
> application and/or application-set definitions + security policies would be
> your weapon of choice. Note that you can be exposing absolutely *zero*
> services or protocols under host-inbound-traffic while still allowing
> through anything else you want in terms of transit traffic via security
> hugo at slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
> (also on Signal)
> juniper-nsp mailing list juniper-nsp at puck.nether.net
Senior Network Engineer - Atlassian
m: +61 407 570 658
More information about the juniper-nsp