[j-nsp] EX4650 - loopback filter - ospf

Laurent CARON lcaron at unix-scripts.info
Tue Mar 21 05:29:54 EDT 2023 

Hi,

I'm currently migrating EX4500 to EX4650.

Our loopback filter taken from EX4500 to EX4650 doesn't behave as expected.

Our lo0 filter looks like:
set interfaces lo0 unit 0 family inet filter input filter-management
set firewall family inet filter filter-management term ALLOW_SSH from 
source-prefix-list ssh-admin
set firewall family inet filter filter-management term ALLOW_SSH from 
protocol tcp
set firewall family inet filter filter-management term ALLOW_SSH from 
destination-port ssh
set firewall family inet filter filter-management term ALLOW_SSH then 
count filter-management_ALLOW_SSH
set firewall family inet filter filter-management term ALLOW_SSH then accept
set firewall family inet filter filter-management term DROP_SSH from 
source-address 0.0.0.0/0
set firewall family inet filter filter-management term DROP_SSH from 
protocol tcp
set firewall family inet filter filter-management term DROP_SSH from 
destination-port ssh
set firewall family inet filter filter-management term DROP_SSH then 
count filter-management_DROP_SSH
set firewall family inet filter filter-management term DROP_SSH then discard
set firewall family inet filter filter-management term ALLOW_NTP from 
source-prefix-list router-self
set firewall family inet filter filter-management term ALLOW_NTP from 
source-prefix-list ntp-servers
set firewall family inet filter filter-management term ALLOW_NTP from 
protocol udp
set firewall family inet filter filter-management term ALLOW_NTP from 
source-port ntp
set firewall family inet filter filter-management term ALLOW_NTP then 
count filter-management_ALLOW_NTP
set firewall family inet filter filter-management term ALLOW_NTP then accept
...(bunch of allow terms)
set firewall family inet filter filter-management term accept-ospf from 
protocol ospf
set firewall family inet filter filter-management term accept-ospf then 
count filter-management-accept-ospf
set firewall family inet filter filter-management term accept-ospf then log
set firewall family inet filter filter-management term accept-ospf then 
syslog
set firewall family inet filter filter-management term accept-ospf then 
accept
set firewall family inet filter filter-management term accept-ospf-igmp 
from destination-prefix-list ospf-routers
set firewall family inet filter filter-management term accept-ospf-igmp 
from protocol igmp
set firewall family inet filter filter-management term accept-ospf-igmp 
then count filter-management-accept-ospf-igmp
set firewall family inet filter filter-management term accept-ospf-igmp 
then accept


If my filter stops here (implicit discard), ospf sessions previously 
established eventually fail.

If the last term is a default accept, OSPF is working fine.

How do you guys do to accept OSPF and deny the rest on this platform ?

Thanks

More information about the juniper-nsp mailing list