Mailing List Archive: ipv6 firewall filters

ipv6 firewall filters

Dec 29, 2002, 9:44 AM

Post #1 of 3 (2369 views)

Hi,

I'm trying to replicate my ipv4 filter to a ipv6 filter. Hopefully somone
could help me with this part:

IPv4:
term 0 {
from {
protocol tcp;
tcp-established;
}
then accept;
}

Somehow, tcp-established isn't available in IPv6 filters:
# set firewall family inet6 filter router-prot-ipv6 term 1 from tcp-established

^
syntax error.

I know that protocol tcp is next-header tcp under IPv6.

--
/- Met vriendelijke groet/With kind regards, -\
<- Peter Batenburg - ProServe B.V. - www.proserve.nl ->
\- tel: +31-184-423815 - fax: +31-184-417160 -/

ipv6 firewall filters [ In reply to ]

harshit at juniper

Dec 30, 2002, 4:31 AM

Post #2 of 3 (2321 views)

Permalink

I think this is the closest you can get .
..unless someone wants to differ here ....

family inet6 {
filter test {
term 1 {
from {
next-header tcp;
}
then accept;
}
}
}

Harshit

-----Original Message-----
From: ProServe - Peter Batenburg [mailto:peter@proserve.nl]
Sent: Sunday, December 29, 2002 6:44 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] ipv6 firewall filters

Hi,

I'm trying to replicate my ipv4 filter to a ipv6 filter. Hopefully
somone could help me with this part:

IPv4:
term 0 {
from {
protocol tcp;
tcp-established;
}
then accept;
}

Somehow, tcp-established isn't available in IPv6 filters:
# set firewall family inet6 filter router-prot-ipv6 term 1 from
tcp-established

^
syntax error.

I know that protocol tcp is next-header tcp under IPv6.

--
/- Met vriendelijke groet/With kind regards, -\
<- Peter Batenburg - ProServe B.V. - www.proserve.nl ->
\- tel: +31-184-423815 - fax: +31-184-417160 -/
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

ipv6 firewall filters [ In reply to ]

pekkas at netcore

Dec 30, 2002, 4:35 AM

Post #3 of 3 (2325 views)

Permalink

On Mon, 30 Dec 2002, Harshit Kumar wrote:
> I think this is the closest you can get .
> ..unless someone wants to differ here ....
>
> family inet6 {
> filter test {
> term 1 {
> from {
> next-header tcp;
> }
> then accept;
> }
> }
> }

FWIW, IMO, that's completely unacceptable from the packet filtering
point-of-view. Checking for TCP flags is a must; it's no different
compared to IPv4.

> -----Original Message-----
> From: ProServe - Peter Batenburg [mailto:peter@proserve.nl]
> Sent: Sunday, December 29, 2002 6:44 AM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] ipv6 firewall filters
>
>
> Hi,
>
> I'm trying to replicate my ipv4 filter to a ipv6 filter. Hopefully
> somone could help me with this part:
>
> IPv4:
> term 0 {
> from {
> protocol tcp;
> tcp-established;
> }
> then accept;
> }
>
> Somehow, tcp-established isn't available in IPv6 filters:
> # set firewall family inet6 filter router-prot-ipv6 term 1 from
> tcp-established
>
> ^
> syntax error.
>
> I know that protocol tcp is next-header tcp under IPv6.
>
>

--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords