Hello List, I need some help with a sanity check on a couple routing engine filters for IPv6; specifically on the ICMPv6 section. The router will connect to routers only, no end hosts (not allowing RA and RS). Filters based off the Juniper Day One ebook Securing the Routing Engine. Should anything be added or removed? How are others doing this? Thanks in advanced.
prefix-list router-ipv6 { apply-path "interfaces <*> unit <*> family inet6 address <*:*>"; } prefix-list router-ipv6-logical-systems { apply-path "logical-systems <*> interfaces <*> unit <*> family inet6 address <*:*>"; } policer management-1m { apply-flags omit; if-exceeding { bandwidth-limit 1m; burst-size-limit 625k; } then discard; } policer management-5m { apply-flags omit; if-exceeding { bandwidth-limit 5m; burst-size-limit 625k; } then discard; } filter accept-icmpv6 { apply-flags omit; term accept-icmp { from { destination-prefix-list { router-ipv6; router-ipv6-logical-systems; } next-header icmpv6; icmp-type [ echo-reply echo-request time-exceeded unreachable source-quench parameter-problem neighbor-advertisement neighbor-solicit packet-too-big ]; } then { policer management-5m; count accept-icmpv6; accept; } } } filter accept-traceroute { apply-flags omit; term accept-traceroute-udp { from { destination-prefix-list { router-ipv6; router-ipv6-logical-systems; } next-header udp; destination-port 33435-33450; } then { policer management-1m; count accept-traceroute-udp; accept; } } term accept-traceroute-icmpv6 { from { destination-prefix-list { router-ipv6; router-ipv6-logical-systems; } next-header icmpv6; icmp-type [ echo-request timestamp time-exceeded ]; } then { policer management-1m; count accept-traceroute-icmpv6; accept; } } } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp