[GTER] Filtro IPv6 para RE no Juniper
Diogo Montagner
diogo.montagner at gmail.com
Tue Nov 1 21:13:47 -02 2016
O livro MX-Series apresenta alguns exemplo:
https://www.safaribooksonline.com/library/view/juniper-mx-series/9781449358143/ch04s01.html
[]s
./diogo -montagner
JNCIE-SP 0x41A
On Wed, Nov 2, 2016 at 5:22 AM, HugLeo <hugocanalli at gmail.com> wrote:
> Encontrei uma falha nesse filtro com relação ao bgp-reply.
> Se um vizinho seu forjar a porta 179 como source ele consegue acessar
> qualquer serviço de seu roteador.
> Pra resolver use tcp-established.
>
> Exemplo:
>
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP from
> source-prefix-list BGP-PEERS
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP from protocol
> tcp
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP from
> destination-port bgp
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP then accept
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
> source-prefix-list BGP-PEERS
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
> protocol tcp
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
> source-port bgp
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY from
> tcp-established
> set firewall family inet filter ACCEPT-BGP term ACCEPT-BGP-REPLY then
> accept
>
>
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 from
> source-prefix-list BGP-PEERS-IPV6
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 from
> next-header tcp
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 from
> destination-port bgp
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6 then
> accept
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
> from source-prefix-list BGP-PEERS-IPV6
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
> from next-header tcp
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
> from source-port bgp
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
> from tcp-established
> set firewall family inet6 filter ACCEPT-BGP-IPV6 term ACCEPT-BGP-IPV6-REPLY
> then accept
>
>
>
>
> 2016-10-27 17:41 GMT-02:00 Eduardo Schoedler <listas at esds.com.br>:
>
> > Tem um exemplo de filtro de RE para Juniper funcional aqui:
> > https://tools.ietf.org/html/rfc6192#appendix-A.2
> >
> > Abs,
> >
> >
> >
> > 2016-10-27 16:59 GMT-02:00 Fábio Hernandes <fabio at hernandes.eti.br>:
> > > Olá, alguém aplicou filtro IPv6 na RE do MX104 (14.2R4.9) e teve algum
> > > problema?
> > >
> > > Se eu ativar, o BGP não sobe, nem usando payload-protocol em vez do
> > > next-header.
> > >
> > > term aceita-bgp {
> > > from {
> > > next-header tcp;
> > > destination-port bgp;
> > > }
> > > then accept;
> > > }
> > > term aceita-bgp-reply {
> > > from {
> > > next-header tcp;
> > > port bgp;
> > > }
> > > then accept;
> > > }
> > >
> > >
> > > --
> > > Fábio R. Hernandes
> > > Fone: (17) 99643 6715
> > > Skype: hernandes.fabio
> > > --
> > > gter list https://eng.registro.br/mailman/listinfo/gter
> >
> >
> >
> > --
> > Eduardo Schoedler
> > --
> > gter list https://eng.registro.br/mailman/listinfo/gter
> >
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
>
More information about the gter
mailing list