2009/7/28 Tom Mayer <wellkn...@gmx.net>: > It seems that udp traffic on port 8935 to subnet 192.168.100.0/23 is allowed > when applied this filter.
There have already been a couple of examples of the correct way to do this but they didn't explain why your filter didn't work... The terms in the from clause all have to match. Your filter translates as "traffic to 192.168.100.0/23 AND not tcp AND not port 8935" Your UDP traffic *is* on port 8935 and so the term does not match. The filter below illustrates how to rewrite your filter using except matches. This is just an illustration and I wouldn't recommend using it in practice as the previously given examples are easier to read. term 1 { from { destination-address { 192.168.100.0/23; } protocol-except tcp; } then discard; } term 2 { from { destination-address { 192.168.100.0/23; } protocol tcp; destination-port-except 8935; } then { discard; } } term 3 { then accept; } -- Russell Heilling http://perlmonkey.blogspot.com "The amazing ability of the bee to adapt herself often helps the beekeeper to overcome the results of his ignorance." - Brother Adam _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp