[j-nsp] 14.2 trio flexible firewall matching?
Saku Ytti
saku at ytti.fi
Sun Sep 27 16:58:17 EDT 2015
Hey Michael,
> I'm wondering if anyone on list has tried this or gotten decent caveat information on this feature. I intend to lab it but haven't gotten around to it yet.
>
> http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-flexible-match-conditions-overview.html
>
> Some things I wanted to explore;
> * Matching ethernet dst addr bit 8 to count/police ethernet multicast
> * Poor man's DNS reflection firewall (counting/policing DNS ANY attempts, aka fkfkfkfz.guru lookups)
I've used it to discriminate between RTPC and RTP, by checking if UDP
port is odd or even. To facilitate mirroring of RTPC packets without
mirroring RTP packets (not allowed by legislation).
Had no issues with it, and generally I'd be very comfortable running
it, it's not a special in any way to the HW, rather all the other
rules are just syntactic sugar.
--
++ytti
More information about the juniper-nsp
mailing list