Hi Here I use "from prefix-list", from what I understand from Juniper, when "from destination-prefix-list" is inserted it is as if it were an IP on the internal interface of the network and not an IP source IP filter and the "from prefix-list" is more like source address.
set firewall family inet filter PROTECT_RE term acesso-ospf from prefix-list ACCESS-v4-OSPF set firewall family inet filter PROTECT_RE term acesso-ospf from protocol ospf set firewall family inet filter PROTECT_RE term acesso-ospf then accept Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp < juniper-nsp@puck.nether.net> escreveu: > Hi, > > I'm currently migrating EX4500 to EX4650. > > Our loopback filter taken from EX4500 to EX4650 doesn't behave as expected. > > Our lo0 filter looks like: > set interfaces lo0 unit 0 family inet filter input filter-management > set firewall family inet filter filter-management term ALLOW_SSH from > source-prefix-list ssh-admin > set firewall family inet filter filter-management term ALLOW_SSH from > protocol tcp > set firewall family inet filter filter-management term ALLOW_SSH from > destination-port ssh > set firewall family inet filter filter-management term ALLOW_SSH then > count filter-management_ALLOW_SSH > set firewall family inet filter filter-management term ALLOW_SSH then > accept > set firewall family inet filter filter-management term DROP_SSH from > source-address 0.0.0.0/0 > set firewall family inet filter filter-management term DROP_SSH from > protocol tcp > set firewall family inet filter filter-management term DROP_SSH from > destination-port ssh > set firewall family inet filter filter-management term DROP_SSH then > count filter-management_DROP_SSH > set firewall family inet filter filter-management term DROP_SSH then > discard > set firewall family inet filter filter-management term ALLOW_NTP from > source-prefix-list router-self > set firewall family inet filter filter-management term ALLOW_NTP from > source-prefix-list ntp-servers > set firewall family inet filter filter-management term ALLOW_NTP from > protocol udp > set firewall family inet filter filter-management term ALLOW_NTP from > source-port ntp > set firewall family inet filter filter-management term ALLOW_NTP then > count filter-management_ALLOW_NTP > set firewall family inet filter filter-management term ALLOW_NTP then > accept > ...(bunch of allow terms) > set firewall family inet filter filter-management term accept-ospf from > protocol ospf > set firewall family inet filter filter-management term accept-ospf then > count filter-management-accept-ospf > set firewall family inet filter filter-management term accept-ospf then log > set firewall family inet filter filter-management term accept-ospf then > syslog > set firewall family inet filter filter-management term accept-ospf then > accept > set firewall family inet filter filter-management term accept-ospf-igmp > from destination-prefix-list ospf-routers > set firewall family inet filter filter-management term accept-ospf-igmp > from protocol igmp > set firewall family inet filter filter-management term accept-ospf-igmp > then count filter-management-accept-ospf-igmp > set firewall family inet filter filter-management term accept-ospf-igmp > then accept > > > If my filter stops here (implicit discard), ospf sessions previously > established eventually fail. > > If the last term is a default accept, OSPF is working fine. > > How do you guys do to accept OSPF and deny the rest on this platform ? > > Thanks > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
