this is late, but l would configure 2 terms in the firewall, one accepting/allowing what is in the prefix list and and another term denying anything that is NOT in the prefix list! The keyword except throws me off :( and that's why l would do it this way.
//allow only what is in the prefix list//
set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers
set firewall family inet filter allow_inbound term bgp from protocol tcp
set firewall family inet filter allow_inbound term bgp from port bgp
set firewall family inet filter allow_inbound term bgp then accept
//deny all tcp traffic on bgp port that is NOT in the prefix list//
set firewall family inet filter allow_inbound term discard-bgp from protocol tcp
set firewall family inet filter allow_inbound term discard-bgp from port bgp
set firewall family inet filter allow_inbound term discard-bgp then discard
****term discard-bgp must be applied below term bgp******
------------------------------
Epa-
------------------------------
Original Message:
Sent: 08-28-2021 08:43
From: MURILO BRANTEGANI GRIZI
Subject: Firewall filter "except" doubt
Hi John,
I think you should remove the except keyword.
According to the policy:
admin@R1# set firewall family inet filter in-filter term bgp from source-prefix-list bgp-neighbors ?
Possible completions:
<[Enter]> Execute this command
except Match addresses not in this prefix list
| Pipe through a command
[edit]
Since you are already configuring the neighbor, it looks reasonable that you want to permit the addresses that are in the prefix list (by neighbor configuration), not the ones who aren't.
Thanks
------------------------------
MURILO BRANTEGANI GRIZI
Original Message:
Sent: 08-27-2021 14:04
From: John Gerro
Subject: Firewall filter "except" doubt
Hi,
I have a MX router connecting to two ISPs, I want to implement a simple inbound filter on the uplink interfaces to block BGP connection attempts except configured ISP peers, I have the following configuration:
set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers except
set firewall family inet filter allow_inbound term bgp from port bgp
set firewall family inet filter allow_inbound term bgp then reject
The above configuration seems to be reasonable, but it is not working, i.e, it does not block unwanted BGP connection attempts, anything wrong?
John
------------------------------
John Gerro
------------------------------