How to create Filter List in JUNOS
Loading...
Loading...
3,673
Loading...
10:06
MPLS Part 1by bufo33312,697 views- 1:18
300 Gallon Aquaponics Buildout Part 12by bufo3339,561 views
- 10:00
Junos Virtual Routers SRX and BGP Route Redistribution Part 2by bufo3331,037 views
- 10:00
Introduction to Junos Part 4by bufo3334,833 views
- 8:09
Troubleshooting Flow SRX Junos Devices Part 2by bufo3331,448 views
- 4:56
CCNA Access List Sim 2 with Natby imeezz5,136 views
- 3:43
Juniper Networksby CindyNeillVO2,358 views
- 11:00
MPLS Part 4by bufo3331,460 views
- 10:23
MPLS Part 3by bufo3331,736 views
- 6:37
JUNOS逻辑路由器(Logical Routers)配置 - Part01/02by nigelmeng1,941 views
- 51:02
Live Webcast Archive: Troubleshooting ASA, PIX, and FWSMby ciscosupportchannel5,443 views
- 5:10
Testing Juniper SRX--Interop 2009by BreakingPointSystems2,728 views
- 8:44
Juniper SRX Firewall Loggingby bufo3338,354 views
- 6:35
Troubleshooting Flow SRX Junos Devices Part 1by bufo3332,053 views
- 7:05
junos per-packet load balancing 01/02by nigelmeng3,313 views
- 9:22
JNCIP Labs 1.1: JUNOS OSPF多区域配置Part1/3by nigelmeng2,705 views
- 1:08
Junos Space Virtual Control Overviewby JuniperNetworks4,051 views
- 10:00
Inter VLAN Routing - CCNA Examby paulwbrowning17,217 views
- 6:57
JUNOS逻辑路由器(Logical Routers)配置 - Part02/02by nigelmeng875 views
- 8:40
How to configure a Reflexive Access List on a Cisco Routerby adhak2011896 views
Why add the term allow-all then accept? If the filter is applied on input to fe-0/0/0 which is your internet-facing port, then wouldn't you want the default to be implicit deny? Otherwise seems like it's wide open.
Also, does blocking rfc1918 inbound from the internet interfere with ipsec tunnels which might have rfc1918 address spaces on the other end? I had that problem with a Cisco ASA...
xphobe 1 year ago
@xphobe This access list is meant only as an antispoofing access list. you are looking for specific combinations of tcp flags, you are also looking for addresses that are wrong. For instance you would want to allow all traffic through your routers, however you would not want traffic coming from the internet with a source of rfc-1918 private addresses as that would be a spoofing attack on your network, also there are certain typed of flags like syn-fin that should never be used on 1 together.
bufo333 1 year ago
Also note at the end of the filter list you have to define a term
term allow-all
then accept;
otherwise the implicit deny at the end of the filter list will block all traffic
bufo333 2 years ago