[GTER] Filtro IPv6 para RE no Juniper

HugLeo hugocanalli at gmail.com
Tue Nov 1 16:22:43 -02 2016 

Encontrei uma falha nesse filtro com relação ao bgp-reply.
Se um vizinho seu forjar a porta 179 como source ele consegue acessar
qualquer serviço de seu roteador.
Pra resolver use tcp-established.

Exemplo:

set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP from
source-prefix-list BGP-PEERS
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP from protocol tcp
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP from
destination-port bgp
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP then accept
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
source-prefix-list BGP-PEERS
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
protocol tcp
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
source-port bgp
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
tcp-established
set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY then accept


set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 from
source-prefix-list BGP-PEERS-IPV6
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 from
next-header tcp
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 from
destination-port bgp
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 then
accept
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
from source-prefix-list BGP-PEERS-IPV6
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
from next-header tcp
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
from source-port bgp
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
from tcp-established
set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
then accept




2016-10-27 17:41 GMT-02:00 Eduardo Schoedler <listas at esds.com.br>:

> Tem um exemplo de filtro de RE para Juniper funcional aqui:
> https://tools.ietf.org/html/rfc6192#appendix-A.2
>
> Abs,
>
>
>
> 2016-10-27 16:59 GMT-02:00 Fábio Hernandes <fabio at hernandes.eti.br>:
> > Olá, alguém aplicou filtro IPv6 na RE do MX104 (14.2R4.9) e teve algum
> > problema?
> >
> > Se eu ativar, o BGP não sobe, nem usando payload-protocol em vez do
> > next-header.
> >
> > term aceita-bgp {
> >     from {
> >         next-header tcp;
> >         destination-port bgp;
> >     }
> >     then accept;
> > }
> > term aceita-bgp-reply {
> >     from {
> >         next-header tcp;
> >         port bgp;
> >     }
> >     then accept;
> > }
> >
> >
> > --
> > Fábio R. Hernandes
> > Fone: (17) 99643 6715
> > Skype: hernandes.fabio
> > --
> > gter list    https://eng.registro.br/mailman/listinfo/gter
>
>
>
> --
> Eduardo Schoedler
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>

More information about the gter mailing list