Comments

Handy Internet Interface JUNOS Firewall Filters

Posted by cooper on Sep 25, 2011 in g33k, juniper

Here are two handy firewall filters to apply to any internet facing interface on your JUNOS network device.

BOGON List
– Apply as input on Internet facing interface
– You should also add any Public Address space that you have inside your network

set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 10.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 127.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 169.254.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 172.16.0.0/12
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.0.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.2.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.168.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.18.0.0/15
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.51.100.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 203.0.113.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 224.0.0.0/3
set firewall family inet filter BOGON-DENY term discard-bogon-net then count BOGONS
set firewall family inet filter BOGON-DENY term discard-bogon-net then discard
set firewall family inet filter BOGON-DENY term allow-everything-else then accept

Private Address Reject
– Apply as output on Internet facing interface

set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 10.0.0.0/8
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 172.16.0.0/12
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 192.168.0.0/16
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then count RFC-1918
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then reject
set firewall family inet filter PRIVATE-REJECT term allow-everything-else then accept

Tags: , , , , , , , ,

 
Comments

Lame Network Joke

Posted by cooper on Sep 22, 2011 in g33k, humour

tcp packet walks in to a bar and says “I want a beer”, barman says “you want a beer?” and tcp packet says “yes, a beer”

 

An RTP packet walks into a bar through the wrong entrance.  The barman says “You’re not getting any special treatment”

 

A multicast packet walks into a bar and leaves by four different exits.

 

A BGP Update walks into a CRS-1.  He walks back out with a corrupt optional transitive attribute.

 

A DNS packet walks into a liquor store – where do I find beer “ABC”?. Clerk: aisle 4, top row on the right.

 

An IPv6 packet walks into a bar. Nobody talks to him.

 

A UDP packet went into a bar. The bartender didn’t acknowledge him…

 

ICMP packet walks into a bar from warehouse and announces – “no more beer”

 

A dhcp packet walks into a bar and asks for a beer. Bartender says , “here, but I’ll need that back in an hour!”

Tags: , , ,

 
Comments

JUNOS Chassis Cluster Node Connectivity

Posted by cooper on Sep 11, 2011 in g33k, juniper

If you are unfortunately working on a JUNOS chassis cluster that does not have the out-of-band management patched (fxp0) then you must use an alternate way to connect to specific nodes and copy files. You are able to copy files and login from to the non active node via the following methods.

To copy files or log in JUNOS gives you the following options:

Copy files from one node to another

Copy Method A, using CLI:
> file copy /var/tmp/abc.log node1:/var/log/
Copy Method B, using shell, follow the commands in order:
> start shell user root
% rcp -T /var/tmp/abc.log node1:/var/log/

Ref link http://kb.juniper.net/InfoCenter/index?page=content&id=KB17410

Login from node0 to node1
The command  mentioned does not work on 3k and 5k devices.

% rlogin -Jk -T node1 (This is shell command)

Tags: , , , , , , , , ,

Copyright © 2017 I-R-Coops Blog All rights reserved. Theme by Laptop Geek.