Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.

Self-contradicting Firewall Filters

  • 1.  Self-contradicting Firewall Filters

    Posted 11 days ago
    Normally when configuring firewall filters conflicting match conditions, for example 'port' and 'port-except' are not allowed.
    However, it appears to be possible to bypass this restriction and create a self-contradictory filter term by using a configuration group:

    This term says both to match and not match packets with port 5001.
    [edit firewall filter loop]
    xxx@icr01.xxxxx# show | display inheritance terse
    term 1 {
        from {
            port 5001; ## inherited from group '1'
            port-except 5001;
        }
        then {
            count 1;
            reject;
        }
    }​


    My question is: How is the device supposed to behave in this case, or is this left undefined?

    In my testing it appeared that the filter always matched packets with port 5001 (despite also saying not to) irrespective of whether the 'port' statement or 'port-except' statement was the inherited one, which seems to go against the typical behavior of the more specific config overriding the inherited one.

    Thanks



    ------------------------------
    Oliver Brown
    ------------------------------