[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Sat May 4 08:10:55 EDT 2024

Hi Martin

I did a bit of work in this subject a couple of years ago, maybe there is
something of use here:

https://github.com/lpedder/junos-re-filters

I think this is an unreasonably complicated topic full of pitfalls, and
there's definitely a lot of misconceptions in my own work too that I
haven't spotted. Even if you sat in a lab for weeks you'd probably still be
missing something dangerous. Juniper should really come up with a better /
automated solution because the level of skill to get this right is insane.

Regards
Lee

On Thu, 2 May 2024, 16:32 Martin Tonusoo via juniper-nsp, <
juniper-nsp at puck.nether.net> wrote:

> Hi.
>
> Thanks for the feedback and remarks. I have updated the RE filters:
> https://gist.github.com/tonusoo/efd9ab4fcf2bb5a45d34d5af5e3f3e0c
>
> Few comments:
>
> * I used the ephemeral range of 49160 - 65535 based on "sysctl
> net.inet.ip.portrange.first" and "sysctl net.inet.ip.portrange.last"
> on FreeBSD shell
>
> * the "router-v4" was carried over from inet6 filters as I wanted to
> keep the v4 and v6 rules as identical as possible. It also helps to
> filter malformed packets addressed
> to multicast. For example TCP SYN packets addressed to dport 179 with
> destination IP set to 224.0.0.6
>
>
> Michael,
>
> regarding the GTSM for BGP and related filters. Do you group the BGP
> neighbors into different prefix lists based on the expected TTL?
> Something like this:
>
> root at vmx1> show configuration firewall family inet filter accept-bgp-v4
> term accept-bgp-ttl-255-v4 {
>     from {
>         source-prefix-list {
>             /* adjacent BGP neighbors with TTL set to 255 */
>             bgp-neighbors-ttl-255-v4;
>         }
>         destination-prefix-list {
>             router-v4;
>         }
>         protocol tcp;
>         ttl 255;
>         destination-port bgp;
>     }
>     then {
>         count accept-bgp-ttl-255-v4;
>         accept;
>     }
> }
> term accept-bgp-v4 {
>     from {
>         source-prefix-list {
>             /* rest of the BGP neighbors */
>             bgp-neighbors-v4;
>         }
>         destination-prefix-list {
>             router-v4;
>         }
>         protocol tcp;
>         destination-port bgp;
>     }
>     then {
>         count accept-bgp-v4;
>         accept;
>     }
> }
>
> root at vmx1>
>
>
> Martin
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>