Hi Martin I did a bit of work in this subject a couple of years ago, maybe there is something of use here:
https://github.com/lpedder/junos-re-filters I think this is an unreasonably complicated topic full of pitfalls, and there's definitely a lot of misconceptions in my own work too that I haven't spotted. Even if you sat in a lab for weeks you'd probably still be missing something dangerous. Juniper should really come up with a better / automated solution because the level of skill to get this right is insane. Regards Lee On Thu, 2 May 2024, 16:32 Martin Tonusoo via juniper-nsp, < juniper-nsp@puck.nether.net> wrote: > Hi. > > Thanks for the feedback and remarks. I have updated the RE filters: > https://gist.github.com/tonusoo/efd9ab4fcf2bb5a45d34d5af5e3f3e0c > > Few comments: > > * I used the ephemeral range of 49160 - 65535 based on "sysctl > net.inet.ip.portrange.first" and "sysctl net.inet.ip.portrange.last" > on FreeBSD shell > > * the "router-v4" was carried over from inet6 filters as I wanted to > keep the v4 and v6 rules as identical as possible. It also helps to > filter malformed packets addressed > to multicast. For example TCP SYN packets addressed to dport 179 with > destination IP set to 224.0.0.6 > > > Michael, > > regarding the GTSM for BGP and related filters. Do you group the BGP > neighbors into different prefix lists based on the expected TTL? > Something like this: > > root@vmx1> show configuration firewall family inet filter accept-bgp-v4 > term accept-bgp-ttl-255-v4 { > from { > source-prefix-list { > /* adjacent BGP neighbors with TTL set to 255 */ > bgp-neighbors-ttl-255-v4; > } > destination-prefix-list { > router-v4; > } > protocol tcp; > ttl 255; > destination-port bgp; > } > then { > count accept-bgp-ttl-255-v4; > accept; > } > } > term accept-bgp-v4 { > from { > source-prefix-list { > /* rest of the BGP neighbors */ > bgp-neighbors-v4; > } > destination-prefix-list { > router-v4; > } > protocol tcp; > destination-port bgp; > } > then { > count accept-bgp-v4; > accept; > } > } > > root@vmx1> > > > Martin > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp