Hi Tom,
Sometimes having double negatives in firewall terms is hard to read,
but I understand what you are trying to do with the "except" matches.
Here is a simple way to do it with 3 terms:
[edit firewall family inet filter tdb-foo]
l...@malaka# show
term 1 {
from {
source-address {
192.168.100.0/23;
}
protocol tcp;
destination-port 8935;
}
then accept;
}
term 2 {
from {
source-address {
192.168.100.0/23;
}
}
then {
discard;
}
}
term 3 {
then accept;
}
On 28/07/2009, at 9:40 AM, Tom Mayer wrote:
Hi,
I just started with an m10 and setting up some firewall rules.
I know that default deny and permitting each individual service
seems the best way to go. But my problem is the following filter:
term 1 {
from {
destination-address {
192.168.100.0/23;
}
protocol-except tcp;
destination-port-except 8935;
}
then {
discard;
}
}
term 2 {
then accept;
}
I want on this link subnet 192.168.100.0/23 only tcp traffic on port
8935 allowed.
On all other subnets, any traffic should be allowed.
It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is
allowed when applied this filter.
May anybody tell me the right syntax for: "traffic to
192.168.100.0/23, only tcp on port 8935 allowed. everything else for
this destination is discarded. everything else on this link is
allowed."
I am applying the filter on the downlink interface as output.
Thanks, Tom
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp