Re: [j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7
You should be able to do negative match on interface-group:
1/ mark all other interfaces with interface-group:
set interfaces xe-0/0/0.0 family inet filter group 100
2/ match on interface-group-except in lo0.0 FW filter
set firewall family inet filter RE-PROTECT term 1 from
interface-group-except 100
(1) can be done with configuration-groups, i.e.
set group ALL-ETHS interfaces [xg]e-* unit * family inet filter
group 100
I have this successfully working in customer's production since Q3 2009.
It does stop spoofed src.ip attacks if spoofed packets are coming from
interface other than fxp0.0.
Thanks
Alex
On 21/01/2014 01:35, Tore Anderson wrote:
This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially
if you don't have easy access to the serial console, but only a firewall
term such as:
term allow-oob-management {
from {
interface fxp0.0;
}
then accept;
}
...in your lo0.0 input filter (which presumably then goes on to drop all
unmatched traffic): It simply doesn't work.
I've confirmed on both MX80 and MX240, several times. After a reboot,
the term just gets skipped, it seems. Deactivating the term, committing,
and then reactivating it fixes the problem but that might of course be
easier said than done if locked out of the box.
Terms doing source-address matches seems to work fine.
Tore
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7
This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially
if you don't have easy access to the serial console, but only a firewall
term such as:
term allow-oob-management {
from {
interface fxp0.0;
}
then accept;
}
...in your lo0.0 input filter (which presumably then goes on to drop all
unmatched traffic): It simply doesn't work.
I've confirmed on both MX80 and MX240, several times. After a reboot,
the term just gets skipped, it seems. Deactivating the term, committing,
and then reactivating it fixes the problem but that might of course be
easier said than done if locked out of the box.
Terms doing source-address matches seems to work fine.
Tore
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7
HI Tore,
Thanks for the heads up - I had earmarked this version for a project so
I'll test around this first.
Cheers,
Graham
On 21 January 2014 14:35, Tore Anderson t...@fud.no wrote:
This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially
if you don't have easy access to the serial console, but only a firewall
term such as:
term allow-oob-management {
from {
interface fxp0.0;
}
then accept;
}
...in your lo0.0 input filter (which presumably then goes on to drop all
unmatched traffic): It simply doesn't work.
I've confirmed on both MX80 and MX240, several times. After a reboot,
the term just gets skipped, it seems. Deactivating the term, committing,
and then reactivating it fixes the problem but that might of course be
easier said than done if locked out of the box.
Terms doing source-address matches seems to work fine.
Tore
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Graham Brown
Twitter - @mountainrescuer https://twitter.com/#!/mountainrescuer
LinkedIn http://www.linkedin.com/in/grahamcbrown
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
