On (2012-03-05 10:13 -0500), Adam Leff wrote: > next-header tcp; > destination-port ssh;
Bear in mind that you cannot use these in 'deny' context for security purposes, as bypassing them is as trivial as adding extension header between TCP and IPv6. So maybe you're stopping your DSL users from spamming by allowing TCP/25 to your SMTPd and then denying other TCP/25 then allowing rest. This should not be done in JunOS in IPv6, as it can be easily bypassed. Or any other situation, where you deny something and permit later rest. Trio at least could do this correctly, and find TCP headers after extension headers, and infact it does, but there just isn't CLI way to build firewall matches like that today. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
