Re: [j-nsp] 14.2 trio flexible firewall matching?

[Saku Ytti]

Hey Michael,

> I'm wondering if anyone on list has tried this or gotten decent caveat 
> information on this feature.  I intend to lab it but haven't gotten around to 
> it yet.
>
> http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-flexible-match-conditions-overview.html
>
> Some things I wanted to explore;
> * Matching ethernet dst addr bit 8 to count/police ethernet multicast
> * Poor man's DNS reflection firewall (counting/policing DNS ANY attempts, aka 
> fkfkfkfz.guru lookups)

I've used it to discriminate between RTPC and RTP, by checking if UDP
port is odd or even. To facilitate mirroring of RTPC packets without
mirroring RTP packets (not allowed by legislation).
Had no issues with it, and generally I'd be very comfortable running
it, it's not a special in any way to the HW, rather all the other
rules are just syntactic sugar.


-- 
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] 14.2 trio flexible firewall matching?

[Michael Hare]

I'm wondering if anyone on list has tried this or gotten decent caveat 
information on this feature.  I intend to lab it but haven't gotten around to 
it yet.

http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-flexible-match-conditions-overview.html

Some things I wanted to explore;
* Matching ethernet dst addr bit 8 to count/police ethernet multicast
* Poor man's DNS reflection firewall (counting/policing DNS ANY attempts, aka 
fkfkfkfz.guru lookups) 

-Michael
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp