Mailing List Archive: RE: firewall filter to allow ospf to RE [9:2144]

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C26A0D.A10DF200
Content-Type: text/plain

Hi,

Thanks. Works like a charm.
//Hasanga

>-----Original Message-----
>From: Scott F. Robohn [mailto:scott@robohn.com]
>Sent: Wednesday, 2 October 2002 9:51 PM
>To: Hasanga Hendehewa (EPA)
>Cc: juniper@groupstudy.com
>Subject: Re: firewall filter to allow ospf to RE [9:2144]
>
>
>"from protocol ospf" should be sufficient:
>
>term ospf {
> from protocol ospf;
> then accept;
>}
>
>The "from source-address 0/0" match condition may actually be trying to
>match on that as an actual source address.
>
>HTH,
>Scott
>
>"Hasanga Hendehewa (EPA)" wrote:
>>
>> Hi,
>> I am trying to allow ospf in a firewall filter to be applied
>to protect the
>> RE. I am having trouble with the setup. I have tried all
>options stated
>> below, but as soon as I apply any of these to lo0 and clear the OSPF
>> neighbor sessions, the node fails to re-establish the OSPF
>relationships.
>> What am I doing wrong here?
>>
>> Option#1
>> term ospf {
>> from {
>> source-address {
>> 0.0.0.0/0;
>> }
>> destination-address {
>> 224.0.0.5/32;
>> }
>> protocol ospf;
>> }
>> then accept;
>>
>> Option#2
>> term ospf {
>> from {
>> source-address {
>> 0.0.0.0/0;
>> }
>> /* interface address towards the neighbor */
>> destination-address {
>> xxx.xxx.xxx.xxx/xx;
>> }
>> protocol ospf;
>> }
>> then {
>> accept;
>> }
>>
>> Option#3
>> term ospf {
>> from {
>> source-address {
>> 0.0.0.0/0;
>> }
>> protocol ospf;
>> }
>> then {
>> accept;
>> }
>>
>> Message Posted at:
>> http://www.groupstudy.com/form/read.php?f=9&i=2144&t=2144
>> --------------------------------------------------
>> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/juniper.html

------_=_NextPart_001_01C26A0D.A10DF200
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.19">
<TITLE>RE: firewall filter to allow ospf to RE [9:2144]</TITLE>
</HEAD>
<BODY>

Hi,


Thanks. Works like a charm.
 //Hasanga


>-----Original Message-----
 >From: Scott F. Robohn [<A =
HREF=3D"mailto:scott@robohn.com">mailto:scott@robohn.com</A>]
 >Sent: Wednesday, 2 October 2002 9:51 PM
 >To: Hasanga Hendehewa (EPA)
 >Cc: juniper@groupstudy.com
 >Subject: Re: firewall filter to allow ospf to RE =
[9:2144]
 >
 >
 >"from protocol ospf" should be =
sufficient:
 >
 >term ospf {
 >    from protocol ospf;
 >    then accept;
 >}
 >
 >The "from source-address 0/0" match =
condition may actually be trying to
 >match on that as an actual source =
address.
 >
 >HTH,
 >Scott
 >
 >"Hasanga Hendehewa (EPA)" =
wrote:
 >> 
 >> Hi,
 >> I am trying to allow ospf in a firewall =
filter to be applied 
 >to protect the
 >> RE. I am having trouble with the setup. I =
have tried all 
 >options stated
 >> below, but as soon as I apply any of these =
to lo0 and clear the OSPF
 >> neighbor sessions, the node fails to =
re-establish the OSPF 
 >relationships.
 >> What am I doing wrong here?
 >> 
 >> Option#1
 >>         term =
ospf {
 >>         &=
nbsp;   from {
 >>         &=
nbsp;       source-address {
 >>         &=
nbsp;           =
0.0.0.0/0;
 >>         &=
nbsp;       }
 >>         &=
nbsp;       destination-address {
 >>         &=
nbsp;           =
224.0.0.5/32;
 >>         &=
nbsp;       }
 >>         &=
nbsp;       protocol ospf;
 >>         &=
nbsp;   }
 >>         &=
nbsp;   then accept;
 >> 
 >> Option#2
 >>         term =
ospf {
 >>         &=
nbsp;   from {
 >>         &=
nbsp;       source-address {
 >>         &=
nbsp;           =
0.0.0.0/0;
 >>         &=
nbsp;       }
 >> /* interface address towards the neighbor =
*/
 >>         &=
nbsp;       destination-address {
 >>         &=
nbsp;           =
xxx.xxx.xxx.xxx/xx;
 >>         &=
nbsp;       }
 >>         &=
nbsp;       protocol ospf;
 >>         &=
nbsp;   }
 >>         &=
nbsp;   then {
 >>         &=
nbsp;       accept;
 >>         &=
nbsp;   }
 >> 
 >> Option#3
 >>         term =
ospf {
 >>         &=
nbsp;   from {
 >>         &=
nbsp;       source-address {
 >>         &=
nbsp;           =
0.0.0.0/0;
 >>         &=
nbsp;       }
 >>         &=
nbsp;       protocol ospf;
 >>         &=
nbsp;   }
 >>         &=
nbsp;   then {
 >>         &=
nbsp;       accept;
 >>         &=
nbsp;   }
 >> 
 >> Message Posted at:
 >> <A =
HREF=3D"http://www.groupstudy.com/form/read.php?f=3D9&i=3D2144&t=3D2144"=
=
TARGET=3D"_blank">http://www.groupstudy.com/form/read.php?f=3D9&i=3D2144=
&t=3D2144</A>
 >> =
--------------------------------------------------
 >> FAQ, list archives, and subscription info: =

 <A =
HREF=3D"http://www.groupstudy.com/list/juniper.html" =
TARGET=3D"_blank">http://www.groupstudy.com/list/juniper.html</A>=



</BODY>
</HTML>
------_=_NextPart_001_01C26A0D.A10DF200--