Re: [j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7
You should be able to do negative match on interface-group: 1/ mark all other interfaces with interface-group: set interfaces xe-0/0/0.0 family inet filter group 100 2/ match on interface-group-except in lo0.0 FW filter set firewall family inet filter RE-PROTECT term 1 from interface-group-except 100 (1) can be done with configuration-groups, i.e. set group ALL-ETHS interfaces [xg]e-* unit * family inet filter group 100 I have this successfully working in customer's production since Q3 2009. It does stop spoofed src.ip attacks if spoofed packets are coming from interface other than fxp0.0. Thanks Alex On 21/01/2014 01:35, Tore Anderson wrote: This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially if you don't have easy access to the serial console, but only a firewall term such as: term allow-oob-management { from { interface fxp0.0; } then accept; } ...in your lo0.0 input filter (which presumably then goes on to drop all unmatched traffic): It simply doesn't work. I've confirmed on both MX80 and MX240, several times. After a reboot, the term just gets skipped, it seems. Deactivating the term, committing, and then reactivating it fixes the problem but that might of course be easier said than done if locked out of the box. Terms doing source-address matches seems to work fine. Tore ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7
This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially if you don't have easy access to the serial console, but only a firewall term such as: term allow-oob-management { from { interface fxp0.0; } then accept; } ...in your lo0.0 input filter (which presumably then goes on to drop all unmatched traffic): It simply doesn't work. I've confirmed on both MX80 and MX240, several times. After a reboot, the term just gets skipped, it seems. Deactivating the term, committing, and then reactivating it fixes the problem but that might of course be easier said than done if locked out of the box. Terms doing source-address matches seems to work fine. Tore ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7
HI Tore, Thanks for the heads up - I had earmarked this version for a project so I'll test around this first. Cheers, Graham On 21 January 2014 14:35, Tore Anderson t...@fud.no wrote: This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially if you don't have easy access to the serial console, but only a firewall term such as: term allow-oob-management { from { interface fxp0.0; } then accept; } ...in your lo0.0 input filter (which presumably then goes on to drop all unmatched traffic): It simply doesn't work. I've confirmed on both MX80 and MX240, several times. After a reboot, the term just gets skipped, it seems. Deactivating the term, committing, and then reactivating it fixes the problem but that might of course be easier said than done if locked out of the box. Terms doing source-address matches seems to work fine. Tore ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Graham Brown Twitter - @mountainrescuer https://twitter.com/#!/mountainrescuer LinkedIn http://www.linkedin.com/in/grahamcbrown ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp