Junos firewall filter question

jude56g

Hi All,

I have encountered some firewall terms which I am not really familiar with, specifically I'm not clear on what subnets are being matched. I have done the binary math, and I think I have this figured out but I would like some confirmation.

I come from a Cisco world, and have never seen a non-contiguous wildcard mask in a filter before, so this is a little new to me.

#1 set firewall family inet filter filter 1 term t1 from destination-address 10.0.0.128/255.255.128.192
#2 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.128/255.255.192.192
#3 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.0/255.255.192.192
#4 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.64/255.255.192.192

The way I understand these terms are matching as follows:

#1 10.0.(1-126).(129-190)
#2 10.1.(1-62).(65-126)
#3 10.1.(0-63).(0-63)
#4 10.1.(0-63).(64-127)

Can someone tell me if I'm on the right track here?

APA

Almost. Non-contiguous mask is the same as a wildcard mask in IOS world. The filters are used to match host addresses basically, thus you still count the 0 subnets as they would be valid... for example in the first example 10.0.0.130 would match the filter.

#1 set firewall family inet filter filter 1 term t1 from destination-address 10.0.0.128/255.255.128.192
#2 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.128/255.255.192.192
#3 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.0/255.255.192.192
#4 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.64/255.255.192.192

The way I understand these terms are matching as follows:

#1 10.0.(1-126).(129-190)
#2 10.1.(1-62).(65-126)
#3 10.1.(0-63).(0-63)
#4 10.1.(0-63).(64-127)

#1 == 10.0.0.128 with a wildcard mask of 0.0.127.63

This would match 10.0.[0-127].[128-191]

#2 == 10.1.0.128 with a wildcard mask of 0.0.63.63

This would match 10.1.[0-63].[128-191]

#3 == 10.1.0.0 with a wildcard mask of 0.0.63.63

This would match 10.1.[0-63].[0.63]

#4 == 10.1.0.64 with a wildcard mask of 0.0.63.63

This would match 10.1.[0-63].[64-127]

Hope this helps.

BTW - The filter example given covers what would commonly be network addresses such as 10.1.0.0 as per filter statement #3... however this would be a valid /31 point-to-point address 10.1.0.0/31 if used in such a way. Thus not overly concerning, just thought I'd mention it.