On Tue 2015-Nov-17 17:52:11 +0000, Wayne Lee via juniper-nsp <juniper-nsp@puck.nether.net> wrote:
I thought you could create your own "service" and apply ports to that specifically I'm running into an issue where I don't want to allow-all on the host-inbound but I do need a fair amount of unlisted ports to still maintain access. Does anyone remember if this is possible. Still sorting through documentation to validate my memory. Thank you, Yes you can configure a custom application and application-set with yourport ranges and apply that to a policy.
That's for security policy, not host-inbound-traffic. For host-inbound-traffic, you are limited to the pre-configured system-services and protocols made available by JunOS:
http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/specifications/zone-host-inbound-traffic-system-service-supported.htmlIf you want to allow something to the RE that's not listed in there, you'd have to allow all and then filter it down with a stateless filter on the loopback in the relevant routing-instance to control traffic to the RE, as per http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-stateless-basic-uses-for.html#jd0e63
But: host-inbound-traffic is for traffic destined for the RE, meaning services or protocols running on the RE. What unlisted ports are you talking about that are for services/protocols running on the RE but which are not available under host-inbound-traffic under either system-services or protocols?
If you're talking about traffic transiting the SRX, then yes: custom application and/or application-set definitions + security policies would be your weapon of choice. Note that you can be exposing absolutely *zero* services or protocols under host-inbound-traffic while still allowing through anything else you want in terms of transit traffic via security policies.
Regards Wayne
-- Hugo h...@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on Signal)
signature.asc
Description: Digital signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
