Hello all.....somewhat new to Junos and definitly w firewall filters. I want to achieve a couple basic things in regards to an isolated vlan\subnet I have here.
One is.... in term 1... allow dns, dhcp, ntp, ldap, http\s etc for the devices living on the vlan 2222
Second is, allow only my station (located on another vlan) to be able to ping and ssh to devices on said vlan.
Then...reject everything else.
The filter is created on a 4300 building "core" switch...the subsequent "access" switches (ex3300s) are trunked off of that. All is well conectivity-wise. When I apply the filter (inbound) to the irb interface on the 4300, I can not ssh or ping the devices that live on valn 2222.
I've done quite a bit a googleing and testing, to no avail-- it should not be this hard! Can somebody enlighten me to what I'm doing wrong. Do I need to write terms for the return traffic as well since this is stateless ?? Below is my filter.
Appreciate any help
root@Upper_School_Core# run show configuration firewall
family inet {
filter FROMG33LAB {
term 1 {
from {
destination-port [ domain http https ntp ldap dhcp ];
}
then accept;
}
term 2 {
from {
source-address {
10.2.12.60/32;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term 3 {
from {
source-address {
10.2.12.60/32;
}
icmp-type [ echo-reply echo-request ];
}
then accept;
}
term 20 {
then {
reject;
}
}
apply filter********
set interfaces irb unit 2222 family inet filter input FROMG33LAB
#firewallfilterjunosvlanirbinput