Options
Junos firewall filter question
Hi All,
I have encountered some firewall terms which I am not really familiar with, specifically I'm not clear on what subnets are being matched. I have done the binary math, and I think I have this figured out but I would like some confirmation.
I come from a Cisco world, and have never seen a non-contiguous wildcard mask in a filter before, so this is a little new to me.
#1 set firewall family inet filter filter 1 term t1 from destination-address 10.0.0.128/255.255.128.192
#2 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.128/255.255.192.192
#3 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.0/255.255.192.192
#4 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.64/255.255.192.192
The way I understand these terms are matching as follows:
#1 10.0.(1-126).(129-190)
#2 10.1.(1-62).(65-126)
#3 10.1.(0-63).(0-63)
#4 10.1.(0-63).(64-127)
Can someone tell me if I'm on the right track here?
I have encountered some firewall terms which I am not really familiar with, specifically I'm not clear on what subnets are being matched. I have done the binary math, and I think I have this figured out but I would like some confirmation.
I come from a Cisco world, and have never seen a non-contiguous wildcard mask in a filter before, so this is a little new to me.
#1 set firewall family inet filter filter 1 term t1 from destination-address 10.0.0.128/255.255.128.192
#2 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.128/255.255.192.192
#3 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.0/255.255.192.192
#4 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.64/255.255.192.192
The way I understand these terms are matching as follows:
#1 10.0.(1-126).(129-190)
#2 10.1.(1-62).(65-126)
#3 10.1.(0-63).(0-63)
#4 10.1.(0-63).(64-127)
Can someone tell me if I'm on the right track here?
Comments
-
Options
APA
Member Posts: 959
Almost. Non-contiguous mask is the same as a wildcard mask in IOS world. The filters are used to match host addresses basically, thus you still count the 0 subnets as they would be valid... for example in the first example 10.0.0.130 would match the filter.
#1 set firewall family inet filter filter 1 term t1 from destination-address 10.0.0.128/255.255.128.192
#2 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.128/255.255.192.192
#3 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.0/255.255.192.192
#4 set firewall family inet filter filter 1 term t1 from destination-address 10.1.0.64/255.255.192.192
The way I understand these terms are matching as follows:
#1 10.0.(1-126).(129-190)
#2 10.1.(1-62).(65-126)
#3 10.1.(0-63).(0-63)
#4 10.1.(0-63).(64-127)
#1 == 10.0.0.128 with a wildcard mask of 0.0.127.63
This would match 10.0.[0-127].[128-191]
#2 == 10.1.0.128 with a wildcard mask of 0.0.63.63
This would match 10.1.[0-63].[128-191]
#3 == 10.1.0.0 with a wildcard mask of 0.0.63.63
This would match 10.1.[0-63].[0.63]
#4 == 10.1.0.64 with a wildcard mask of 0.0.63.63
This would match 10.1.[0-63].[64-127]
Hope this helps.
BTW - The filter example given covers what would commonly be network addresses such as 10.1.0.0 as per filter statement #3... however this would be a valid /31 point-to-point address 10.1.0.0/31 if used in such a way. Thus not overly concerning, just thought I'd mention it.
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
Options
jude56g
Member Posts: 107 ■■■□□□□□□□
Thanks a lot APA for the reply! I'm not sure why, but this was really stumping me. Thanks again for the clarification.
-Jude