* Randy Bush
> i am getting a lot of these on my seattle internet exchange interface
>
> May 4 00:18:39 rpd[1485]: rv_listen_accept: Connection attempt from
> unconfigured session: ::Ffff:222.77.14.229+40604
One neat feature you can use to get rid of noise and misbehaviour from
unconfigured peers is to use a prefix-list with apply-path to allow BGP
traffic only from configured peers, like so:
tore@cr2-osl2# show policy-options prefix-list bgp-configured-peers
apply-path "protocols bgp group <*> neighbor <*>";
and then just refer to it in your lo0 input filter (followed by a
default deny of course), in my case:
tore@cr2-osl2# show firewall family inet6 filter lo0-input-v6 term allow-bgp
from {
source-prefix-list {
bgp-configured-peers;
}
next-header tcp;
port bgp;
}
then accept;
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
