On (2014-02-01 11:16 +0400), Misak Khachatryan wrote: > Should I write filters specific for each lo and routing instance > unit or lo0.0 is catch all for everything?
I recommend applying same filter in each loopback. Security posture of VPN is mostly same as INET, except source address is not to be trusted (there may be INET behind customer VPN and you may not know how it's managed) Critically make sure you verify destination address in firewall filter especially for non-customer protocols like ssh, http, snmp, ntp, igp etc. -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp