# show policy-options
policy-options {
prefix-list lo0.0-inet-address {
apply-path "interfaces lo0 unit 0 family inet address <*>";
}
prefix-list ntp-servers {
apply-path "system ntp server <*>";
}
}
# show firewall
firewall {
family inet {
filter protect_RE {
term NTP {
from {
source-prefix-list {
ntp-servers;
lo0.0-inet-address;
}
protocol udp;
port ntp;
}
then accept;
}
}
bla
bla
bla
-----Original Message-----
From: juniper-nsp [mailto:[email protected]] On Behalf Of
Chris Adams
Sent: Tuesday, January 14, 2014 4:19 PM
To: [email protected]
Subject: Re: [j-nsp] NTP Reflection
Once upon a time, Olivier Benghozi <[email protected]> said:
> Because if you don't do it, you'll obtain some nice "Server Timeout" if you
> want to issue a "show ntp status" or "show ntp associations".
> So:
> - Junos doesn't use 127.0.0.1 to locally communicate with ntpd
> - In you filters you're obliged to manually authorize internal private
> IP traffic used by the CLI and that doesn't even leave the RE
>
> Another fine design...
Seems like a good case for a commit script to auto-build the filter rule from
configured NTP servers and configured loopback addresses.
--
Chris Adams <[email protected]>
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
