[j-nsp] inet6 ttl filter / equivalent of hop-limit on non MX series
Scott
scttlists at gmail.com
Sat Nov 21 23:22:39 EST 2015
Hi All,
I am currently rewriting the inet6 firewall on a M120 and I am trying to
figure out how I can effectively filter traceroutes, especially tcp, as
hop-limit is supported on MX MIC/MPC only.
Any pointers are highly appreciated
The config is largely based on the Day One books, here is the inet version
I am trying to convert
filter accept-traceroute {
apply-flags omit;
term accept-traceroute-udp {
from {
destination-prefix-list {
router-ips-ipv4;
router-ips-logisys-ipv4;
}
protocol udp;
ttl 1;
destination-port 33434-33523;
}
then {
policer management-1m;
count accept-traceroute-udp;
accept;
}
}
term accept-traceroute-icmp {
from {
destination-prefix-list {
router-ips-ipv4;
router-ips-logisys-ipv4;
}
protocol icmp;
ttl 1;
icmp-type [ echo-request timestamp time-exceeded ];
}
then {
policer management-1m;
count accept-traceroute-icmp;
accept;
}
}
term accept-traceroute-tcp {
from {
destination-prefix-list {
router-ips-ipv4;
router-ips-logisys-ipv4;
}
protocol tcp;
ttl 1;
}
then {
policer management-1m;
count accept-traceroute-tcp;
accept;
}
}
}
Thanks,
Scott
More information about the juniper-nsp
mailing list