On Fri, Dec 17, 2010 at 02:03:20PM -0500, Jack Damn wrote: > It's the first time I make use of an EX4200 L3 routing capabilities > and I find it quite troubling and unacceptable that I can't rate-limit > nor log/syslog in my lo0 ingress filter.
If it makes you feel any better, you can't actually outright deny the traffic either. The packets get dropped by the lo0 filter AFTER they've already hit the hard-coded data plane -> control plane rate limits, so other than accomplishing tasks like blocking password scanning attacks on ssh, the lo0 filters are effectively useless. The only way to protect the box is to use real interface ingress filters on every interface, and manually specify all the destination addresses that will hit the control plane. You can help automate this with commit scripts that build a prefix-list of local interfaces. They did just add log/syslog on ingress filters in 10.4 too, so thats worth something (not that I'm vouching for 10.4 on EX, and I'm completely unvouching for it on MX, R1 is totally broken there). :) -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
