On 8/18/2011 8:21 AM, Martin T wrote:
As you can see, there is a firewall applied to ge-0/0/0.10. Configuration of the "fw-out" is following:term established { from { tcp-established; } then { count established; accept; } }
You don't have a match for protocol TCP here in your term established. This can cause strange behavior since it's only looking for it a simple bit match against the TCP ACK or RST fields. However because you are not tying it specifically to TCP traffic, any packets which have a 1 value at that offset will match.
The same applies to every host in 192.168.1.0/28 network. If I ping the M20(192.168.1.14) from servers there is same amount of packet loss. Any ideas, what might cause this "ping: sendto: Operation not permitted"? If additional information is needed, please ask :)
Honestly, I am unsure how any of your ping packets are getting out due to the fact that you don't have any terms allowing ICMP echo-requests outbound. My only thought here is that it may be matching on the term established for the reasons I just mentioned.
I would suggest modifying the term established to include 'from protocol tcp', and then adding another term to allow ICMP echo requests outbound. Make sure to insert this term before the final drop term.
HTHs. Stefan Fouant JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI Technical Trainer, Juniper Networks http://www.shortestpathfirst.net http://www.twitter.com/sfouant _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
