[j-nsp] EX4650 - loopback filter - ospf

Cristian Cardoso cristian.cardoso11 at gmail.com
Tue Mar 21 07:10:33 EDT 2023 

No, I use MX's and QFX''s and EX these days.

Em ter., 21 de mar. de 2023 às 08:05, Laurent CARON <
lcaron at unix-scripts.info> escreveu:

> Thanks Cristian,
>
> Not specifing source should work since this rule is supposed to be wider.
>
> I think my question is EX4650 specific. Do you use the EX4650 platform ?
>
> Thanks
>
> Le 21/03/2023 à 11:38, Cristian Cardoso a écrit :
> > Hi
> >
> > Here I use "from prefix-list", from what I understand from Juniper, when
> > "from destination-prefix-list" is inserted it is as if it were an IP on
> > the internal interface of the network and not an IP source IP filter and
> > the "from prefix-list" is more like source address.
> >
> > set firewall family inet filter PROTECT_RE term acesso-ospf from
> > prefix-list ACCESS-v4-OSPF
> > set firewall family inet filter PROTECT_RE term acesso-ospf from
> > protocol ospf
> > set firewall family inet filter PROTECT_RE term acesso-ospf then accept
> >
> > Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp
> > <juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>>
> escreveu:
> >
> >     Hi,
> >
> >     I'm currently migrating EX4500 to EX4650.
> >
> >     Our loopback filter taken from EX4500 to EX4650 doesn't behave as
> >     expected.
> >
> >     Our lo0 filter looks like:
> >     set interfaces lo0 unit 0 family inet filter input filter-management
> >     set firewall family inet filter filter-management term ALLOW_SSH from
> >     source-prefix-list ssh-admin
> >     set firewall family inet filter filter-management term ALLOW_SSH from
> >     protocol tcp
> >     set firewall family inet filter filter-management term ALLOW_SSH from
> >     destination-port ssh
> >     set firewall family inet filter filter-management term ALLOW_SSH then
> >     count filter-management_ALLOW_SSH
> >     set firewall family inet filter filter-management term ALLOW_SSH
> >     then accept
> >     set firewall family inet filter filter-management term DROP_SSH from
> >     source-address 0.0.0.0/0 <http://0.0.0.0/0>
> >     set firewall family inet filter filter-management term DROP_SSH from
> >     protocol tcp
> >     set firewall family inet filter filter-management term DROP_SSH from
> >     destination-port ssh
> >     set firewall family inet filter filter-management term DROP_SSH then
> >     count filter-management_DROP_SSH
> >     set firewall family inet filter filter-management term DROP_SSH then
> >     discard
> >     set firewall family inet filter filter-management term ALLOW_NTP from
> >     source-prefix-list router-self
> >     set firewall family inet filter filter-management term ALLOW_NTP from
> >     source-prefix-list ntp-servers
> >     set firewall family inet filter filter-management term ALLOW_NTP from
> >     protocol udp
> >     set firewall family inet filter filter-management term ALLOW_NTP from
> >     source-port ntp
> >     set firewall family inet filter filter-management term ALLOW_NTP then
> >     count filter-management_ALLOW_NTP
> >     set firewall family inet filter filter-management term ALLOW_NTP
> >     then accept
> >     ...(bunch of allow terms)
> >     set firewall family inet filter filter-management term accept-ospf
> from
> >     protocol ospf
> >     set firewall family inet filter filter-management term accept-ospf
> then
> >     count filter-management-accept-ospf
> >     set firewall family inet filter filter-management term accept-ospf
> >     then log
> >     set firewall family inet filter filter-management term accept-ospf
> then
> >     syslog
> >     set firewall family inet filter filter-management term accept-ospf
> then
> >     accept
> >     set firewall family inet filter filter-management term
> accept-ospf-igmp
> >     from destination-prefix-list ospf-routers
> >     set firewall family inet filter filter-management term
> accept-ospf-igmp
> >     from protocol igmp
> >     set firewall family inet filter filter-management term
> accept-ospf-igmp
> >     then count filter-management-accept-ospf-igmp
> >     set firewall family inet filter filter-management term
> accept-ospf-igmp
> >     then accept
> >
> >
> >     If my filter stops here (implicit discard), ospf sessions previously
> >     established eventually fail.
> >
> >     If the last term is a default accept, OSPF is working fine.
> >
> >     How do you guys do to accept OSPF and deny the rest on this platform
> ?
> >
> >     Thanks
> >     _______________________________________________
> >     juniper-nsp mailing list juniper-nsp at puck.nether.net
> >     <mailto:juniper-nsp at puck.nether.net>
> >     https://puck.nether.net/mailman/listinfo/juniper-nsp
> >     <https://puck.nether.net/mailman/listinfo/juniper-nsp>
> >
>
>

More information about the juniper-nsp mailing list