Switching

Expand all | Collapse all

How to exclude an ip from the subnet defined as prefix-list in firewall filter

Jump to Best Answer
  • 1.  How to exclude an ip from the subnet defined as prefix-list in firewall filter

    Posted 07-19-2019 08:15

    Hi I have already configure a firewall filter on subnet  "115.189.245.64/28" by defining it as  prefix list "xyz"  in that filter "cc-out" . I want to exclude ip ( 115.189.245.78/28 ) from that prefix list and want that this server should be accessible by only two ips ( 210.250.190.190/32 )  and  ( 210.250.190.211/32 ) . Current filter allow access to that subnet servers to many ips but i want to restrict access of this  ( 115.189.245.78/28 )  for only two ips   ( 210.250.190.190/32 )  and  ( 210.250.190.211/32 ) .

     

    Please find below mentioned config of that existing filter and kindly tell me how and where i can that new term for this server  ( 115.189.245.78/28 ) without impacting existing filter : 

     

    set groups AA:BB interfaces <*> unit 98 description "aa"
    set groups AA:BB interfaces <*> unit 98 family inet mtu 1500
    set groups AA:BB interfaces <*> unit 98 family inet filter output cc-out
    set groups AA:BB interfaces <*> unit 98 family inet address 115.189.245.65/28
    set groups AA:BB policy-options prefix-list xyx 115.189.245.64/28
    set groups AA:BB firewall family inet filter cc-out term accept-mgmt from source-prefix-list management
    set groups AA:BB firewall family inet filter cc-out term accept-mgmt then accept
    set groups AA:BB firewall family inet filter cc-out term accept-icmp from destination-prefix-list xyz
    set groups AA:BB firewall family inet filter cc-out term accept-icmp from protocol icmp
    set groups AA:BB firewall family inet filter cc-out term accept-icmp then policer management-5m
    set groups AA:BB firewall family inet filter cc-out term accept-icmp then accept
    set groups AA:BB firewall family inet filter cc-out term accept-http from destination-prefix-list xyz
    set groups AA:BB firewall family inet filter cc-out term accept-http from protocol tcp
    set groups AA:BB firewall family inet filter cc-out term accept-http from destination-port http
    set groups AA:BB firewall family inet filter cc-out term accept-http from destination-port https
    set groups AA:BB firewall family inet filter cc-out term accept-http then accept
    set groups AA:BB firewall family inet filter cc-out-out term last then discard

     



  • 2.  RE: How to exclude an ip from the subnet defined as prefix-list in firewall filter
    Best Answer

     
    Posted 07-19-2019 10:16

    Please add two more terms in front of  accept-icmp 

     

    set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from source-address 210.250.190.190/32
    set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from source-address 210.250.190.211/32
    set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from destination-address 115.189.245.78/32
    set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from protocol icmp
    set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server then accept
    set groups AA:BB firewall family inet filter cc-out term reject-icmp-78-server from destination-address 115.189.245.78/32
    set groups AA:BB firewall family inet filter cc-out term reject-icmp-78-server from protocol icmp
    set groups AA:BB firewall family inet filter cc-out term reject-icmp-78-server then reject
    set groups AA:BB firewall family inet filter cc-out term accept-icmp from destination-prefix-list xyz
    set groups AA:BB firewall family inet filter cc-out term accept-icmp from protocol icmp
    set groups AA:BB firewall family inet filter cc-out term accept-icmp then policer management-5m
    set groups AA:BB firewall family inet filter cc-out term accept-icmp then accept



  • 3.  RE: How to exclude an ip from the subnet defined as prefix-list in firewall filter

    Posted 07-19-2019 10:28

    awesome . it works . thank you for you kind help . 

     

    Reall appreciate it  🙂