On Wed, Mar 18, 2020 at 06:33:11PM +0200, Saku Ytti wrote: > On Wed, 18 Mar 2020 at 18:28, Chuck Anderson <c...@wpi.edu> wrote: > > > term bgp-inbound { > > from { > > source-prefix-list { > > bgp-neighbors-v4; > > } > > protocol tcp; > > source-port 1024-65535; > This is immaterial, you don't care what this SPORT is. Be liberal.
True--the peer controls it so it doesn't matter what it is. > > term bgp-replies { > > from { > > source-prefix-list { > > bgp-neighbors-v4; > > } > > protocol tcp; > > source-port bgp; > > destination-port 1024-65535; > This you care very much, and ephemeral range in your device is > 49125-65535, 1024-49124 could have something listening in them. Thanks, this is useful. From the BSD shell it appears to be 49160-65535: % sysctl -a | grep -E 'portrange.*(first|last)' net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.lowlast: 647 net.inet.ip.portrange.first: 49160 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.hifirst: 49160 net.inet.ip.portrange.hilast: 65535 > If you are in position where you only have customers and RR, no peers > or anything else where there is no 'owner'. You should set your > customer BGP to passive, so customer _always_ starts the BGP, you will > never try to start it. Equally you should set your RR to passive, so > clients always connect to RR, RR never. > This will allow greatly simplified filters for BGP, much safer, as > well as trivial way to police iBGP and eBGP separately, in times when > dddos-protection was not available. Good idea. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp