Hello all -- trying to restrict devices on a vlan\subnet to only DNS queries and HTTPS. Don't want the rest of the network accessing said subnet. Just want DNS queries to our local dns servers- who then forward the responses over...then HTTPS connections out.
So far I have this as a filter. (see below) a NSLOOKUP to a public website times out. A Wireshark on the client shows only the requests from the client- no traffic being returned. And incidentally, none of my FF counters show anything at all- You would assume the reject counter would increment at least (??) Using the "domain" protocol keyword in Junos did nothing different either - I thought to sperate it via UDP an TCP
The filter is set as an output filter on the IRB (vlan) interface of our building core switch as shown (EX 4300).... any help would be appreciated! Thanks...Dennis
unit 23 {
description "US Credit Subnet";
family inet {
filter {
output CREDIT-RESTRICT;
}
address 10.2.3.1/24;
*************************************************************************
filter CREDIT-RESTRICT {
term DNS-UDP {
from {
source-prefix-list {
CREDIT-NETS;
}
protocol udp;
destination-port 53;
}
then {
count CREDIT-COUNT-DNS-UDP;
accept;
}
}
term DNS-TCP {
from {
source-prefix-list {
CREDIT-NETS;
}
protocol tcp;
destination-port 53;
}
then {
count CREDIT-COUNT-DNS-TCP;
accept;
}
}
term HTTPS {
from {
source-prefix-list {
CREDIT-NETS;
}
destination-port https;
}
then {
count CREDIT-COUNT-HTTPS;
accept;
}
}
term REJECT {
from {
source-prefix-list {
CREDIT-NETS;
}
}
then {
count CREDIT-COUNT-REJECT;
discard;
}
------------------------------
DENNIS TOPO
------------------------------