Hi,
I'm currently migrating EX4500 to EX4650.
Our loopback filter taken from EX4500 to EX4650 doesn't behave as expected.
Our lo0 filter looks like:
set interfaces lo0 unit 0 family inet filter input filter-management
set firewall family inet filter filter-management term ALLOW_SSH from
source-prefix-list ssh-admin
set firewall family inet filter filter-management term ALLOW_SSH from
protocol tcp
set firewall family inet filter filter-management term ALLOW_SSH from
destination-port ssh
set firewall family inet filter filter-management term ALLOW_SSH then
count filter-management_ALLOW_SSH
set firewall family inet filter filter-management term ALLOW_SSH then accept
set firewall family inet filter filter-management term DROP_SSH from
source-address 0.0.0.0/0
set firewall family inet filter filter-management term DROP_SSH from
protocol tcp
set firewall family inet filter filter-management term DROP_SSH from
destination-port ssh
set firewall family inet filter filter-management term DROP_SSH then
count filter-management_DROP_SSH
set firewall family inet filter filter-management term DROP_SSH then discard
set firewall family inet filter filter-management term ALLOW_NTP from
source-prefix-list router-self
set firewall family inet filter filter-management term ALLOW_NTP from
source-prefix-list ntp-servers
set firewall family inet filter filter-management term ALLOW_NTP from
protocol udp
set firewall family inet filter filter-management term ALLOW_NTP from
source-port ntp
set firewall family inet filter filter-management term ALLOW_NTP then
count filter-management_ALLOW_NTP
set firewall family inet filter filter-management term ALLOW_NTP then accept
...(bunch of allow terms)
set firewall family inet filter filter-management term accept-ospf from
protocol ospf
set firewall family inet filter filter-management term accept-ospf then
count filter-management-accept-ospf
set firewall family inet filter filter-management term accept-ospf then log
set firewall family inet filter filter-management term accept-ospf then
syslog
set firewall family inet filter filter-management term accept-ospf then
accept
set firewall family inet filter filter-management term accept-ospf-igmp
from destination-prefix-list ospf-routers
set firewall family inet filter filter-management term accept-ospf-igmp
from protocol igmp
set firewall family inet filter filter-management term accept-ospf-igmp
then count filter-management-accept-ospf-igmp
set firewall family inet filter filter-management term accept-ospf-igmp
then accept
If my filter stops here (implicit discard), ospf sessions previously
established eventually fail.
If the last term is a default accept, OSPF is working fine.
How do you guys do to accept OSPF and deny the rest on this platform ?
Thanks
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
