[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Thu May 2 10:32:12 EDT 2024

Hi.

Thanks for the feedback and remarks. I have updated the RE filters:
https://gist.github.com/tonusoo/efd9ab4fcf2bb5a45d34d5af5e3f3e0c

Few comments:

* I used the ephemeral range of 49160 - 65535 based on "sysctl
net.inet.ip.portrange.first" and "sysctl net.inet.ip.portrange.last"
on FreeBSD shell

* the "router-v4" was carried over from inet6 filters as I wanted to
keep the v4 and v6 rules as identical as possible. It also helps to
filter malformed packets addressed
to multicast. For example TCP SYN packets addressed to dport 179 with
destination IP set to 224.0.0.6

Michael,

regarding the GTSM for BGP and related filters. Do you group the BGP
neighbors into different prefix lists based on the expected TTL?
Something like this:

root at vmx1> show configuration firewall family inet filter accept-bgp-v4
term accept-bgp-ttl-255-v4 {
    from {
        source-prefix-list {
            /* adjacent BGP neighbors with TTL set to 255 */
            bgp-neighbors-ttl-255-v4;
        }
        destination-prefix-list {
            router-v4;
        }
        protocol tcp;
        ttl 255;
        destination-port bgp;
    }
    then {
        count accept-bgp-ttl-255-v4;
        accept;
    }
}
term accept-bgp-v4 {
    from {
        source-prefix-list {
            /* rest of the BGP neighbors */
            bgp-neighbors-v4;
        }
        destination-prefix-list {
            router-v4;
        }
        protocol tcp;
        destination-port bgp;
    }
    then {
        count accept-bgp-v4;
        accept;
    }
}

root at vmx1>

Martin