You might have better luck with the junos-host zone. http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227&actp=search
On 18 November 2015 at 05:13, Hugo Slabbert <h...@slabnet.com> wrote: > > On Tue 2015-Nov-17 17:52:11 +0000, Wayne Lee via juniper-nsp < > juniper-nsp@puck.nether.net> wrote: > > I thought you could create your own "service" and apply ports to that >>> specifically >>> >>> I'm running into an issue where I don't want to allow-all on the >>> host-inbound but I do need a fair amount of unlisted ports to still >>> maintain access. >>> >>> Does anyone remember if this is possible. Still sorting through >>> documentation to validate my memory. >>> >>> Thank you, >>> >>> >>> Yes you can configure a custom application and application-set with your >>> >> port ranges and apply that to a policy. >> > > That's for security policy, not host-inbound-traffic. For > host-inbound-traffic, you are limited to the pre-configured system-services > and protocols made available by JunOS: > > > http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/specifications/zone-host-inbound-traffic-system-service-supported.html > > If you want to allow something to the RE that's not listed in there, you'd > have to allow all and then filter it down with a stateless filter on the > loopback in the relevant routing-instance to control traffic to the RE, as > per > http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-stateless-basic-uses-for.html#jd0e63 > > But: host-inbound-traffic is for traffic destined for the RE, meaning > services or protocols running on the RE. What unlisted ports are you > talking about that are for services/protocols running on the RE but which > are not available under host-inbound-traffic under either system-services > or protocols? > > If you're talking about traffic transiting the SRX, then yes: custom > application and/or application-set definitions + security policies would be > your weapon of choice. Note that you can be exposing absolutely *zero* > services or protocols under host-inbound-traffic while still allowing > through anything else you want in terms of transit traffic via security > policies. > > >> Regards >> >> >> Wayne >> > > -- > Hugo > > h...@slabnet.com: email, xmpp/jabber > PGP fingerprint (B178313E): > CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E > > (also on Signal) > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Michael Gehrmann Senior Network Engineer - Atlassian m: +61 407 570 658 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp