Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
Back to discussions
Expand all | Collapse all

What's the difference between 'port' and 'source-port or destination-port' in 'set firewall filter.....' command

  • 1.  What's the difference between 'port' and 'source-port or destination-port' in 'set firewall filter.....' command

    Posted 03-30-2023 20:02

    Consider i have a sample configuration like below and i want to convert it into ACL, 

    set firewall filter protocol-marking term snm from destination-prefix-list prefix-snm

    set firewall filter protocol-marking term snm from protocol udp

    set firewall filter protocol-marking term snm from port snmp

    set firewall filter protocol-marking term snm then accept

    I will understand the port is source or destination if 'source-port' or 'destination-port' keyword is used but how i can understand by using only the keyword 'port' whether it is source or destination?

    The ACL conversion for above will be,

    ip access-list protocol-marking

    permit udp any eq snmp 1.1.1.1/24

    or 

    ip access-list protocol-marking

    permit udp any 1.1.1.1/24 eq snmp

    Thanks in advance.



    ------------------------------
    DINESH KUMAR PALANIVELU
    ------------------------------


  • 2.  RE: What's the difference between 'port' and 'source-port or destination-port' in 'set firewall filter.....' command

    Posted 03-30-2023 20:05

    With the port only keyword the packet could be either source or destination so the direction of the traffic would not matter it would still match the filter.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 3.  RE: What's the difference between 'port' and 'source-port or destination-port' in 'set firewall filter.....' command

    Posted 04-04-2023 06:40

    Thanks. But it will be helpful if i get to know which field in the packet will be matched to the condition. Because there will be source port field and destination port field in the packet i guess. Consider i am trying to convert that juniper command having port to ACL. Does it look like anything in the below options?
    1) 

    ip access-list protocol-marking

    permit udp any eq snmp 1.1.1.1/24
    2)

    ip access-list protocol-marking

    permit udp any eq snmp 1.1.1.1/24

    3)

    ip access-list protocol-marking

    permit udp any eq snmp 1.1.1.1/24 eq snmp
    4) 

    ip access-list protocol-marking
    permit udp any 1.1.1.1/24
    permit udp any eq snmp any eq snmp

     



    ------------------------------
    DINESH KUMAR PALANIVELU
    ------------------------------

    Original Message