[j-nsp] EX4650 - loopback filter - ospf

Tue Mar 21 07:05:33 EDT 2023

Thanks Cristian,

Not specifing source should work since this rule is supposed to be wider.

I think my question is EX4650 specific. Do you use the EX4650 platform ?

Thanks

Le 21/03/2023 à 11:38, Cristian Cardoso a écrit :
> Hi
> 
> Here I use "from prefix-list", from what I understand from Juniper, when 
> "from destination-prefix-list" is inserted it is as if it were an IP on 
> the internal interface of the network and not an IP source IP filter and 
> the "from prefix-list" is more like source address.
> 
> set firewall family inet filter PROTECT_RE term acesso-ospf from 
> prefix-list ACCESS-v4-OSPF
> set firewall family inet filter PROTECT_RE term acesso-ospf from 
> protocol ospf
> set firewall family inet filter PROTECT_RE term acesso-ospf then accept
> 
> Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp 
> <juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>> escreveu:
> 
>     Hi,
> 
>     I'm currently migrating EX4500 to EX4650.
> 
>     Our loopback filter taken from EX4500 to EX4650 doesn't behave as
>     expected.
> 
>     Our lo0 filter looks like:
>     set interfaces lo0 unit 0 family inet filter input filter-management
>     set firewall family inet filter filter-management term ALLOW_SSH from
>     source-prefix-list ssh-admin
>     set firewall family inet filter filter-management term ALLOW_SSH from
>     protocol tcp
>     set firewall family inet filter filter-management term ALLOW_SSH from
>     destination-port ssh
>     set firewall family inet filter filter-management term ALLOW_SSH then
>     count filter-management_ALLOW_SSH
>     set firewall family inet filter filter-management term ALLOW_SSH
>     then accept
>     set firewall family inet filter filter-management term DROP_SSH from
>     source-address 0.0.0.0/0 <http://0.0.0.0/0>
>     set firewall family inet filter filter-management term DROP_SSH from
>     protocol tcp
>     set firewall family inet filter filter-management term DROP_SSH from
>     destination-port ssh
>     set firewall family inet filter filter-management term DROP_SSH then
>     count filter-management_DROP_SSH
>     set firewall family inet filter filter-management term DROP_SSH then
>     discard
>     set firewall family inet filter filter-management term ALLOW_NTP from
>     source-prefix-list router-self
>     set firewall family inet filter filter-management term ALLOW_NTP from
>     source-prefix-list ntp-servers
>     set firewall family inet filter filter-management term ALLOW_NTP from
>     protocol udp
>     set firewall family inet filter filter-management term ALLOW_NTP from
>     source-port ntp
>     set firewall family inet filter filter-management term ALLOW_NTP then
>     count filter-management_ALLOW_NTP
>     set firewall family inet filter filter-management term ALLOW_NTP
>     then accept
>     ...(bunch of allow terms)
>     set firewall family inet filter filter-management term accept-ospf from
>     protocol ospf
>     set firewall family inet filter filter-management term accept-ospf then
>     count filter-management-accept-ospf
>     set firewall family inet filter filter-management term accept-ospf
>     then log
>     set firewall family inet filter filter-management term accept-ospf then
>     syslog
>     set firewall family inet filter filter-management term accept-ospf then
>     accept
>     set firewall family inet filter filter-management term accept-ospf-igmp
>     from destination-prefix-list ospf-routers
>     set firewall family inet filter filter-management term accept-ospf-igmp
>     from protocol igmp
>     set firewall family inet filter filter-management term accept-ospf-igmp
>     then count filter-management-accept-ospf-igmp
>     set firewall family inet filter filter-management term accept-ospf-igmp
>     then accept
> 
> 
>     If my filter stops here (implicit discard), ospf sessions previously
>     established eventually fail.
> 
>     If the last term is a default accept, OSPF is working fine.
> 
>     How do you guys do to accept OSPF and deny the rest on this platform ?
> 
>     Thanks
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>     <https://puck.nether.net/mailman/listinfo/juniper-nsp>
> 