Switching

Hi community,

At, http://www.juniper.net/techpubs/en_US/junos12.3/topics/example/cos-ex-series-configuring.html, I couldn't help notice the ethernet-switching family firewall filter rule-set marks SOURCE PORTS as the condition match for services.

This doesn't make sense from the perspective of networking theory.

It should be, a. a locally random 5 digit port is SOURCE PORT and DESTINATION PORT is what is the article is specifying to match on.  I.e. an app server, listens in on SMTP (TCP port 25).  This is a DESTINATION PORT.  Yet the firewall ruleset to match and place in different CoS hardware queues is configured for SOURCE PORT.

Confused.. ?

In the example you cite, the filters in question are written to capture the traffic from the SERVERS to the clients.  Your note above describes the port situation from the CLIENT to the server.  That is why the ports are reversed from what you expect.

Hmm.. Makes sense.

And I guess UDP being stateless doesn't follow this principle ?

Which is why.. citing the same KB example.. a voip phone.. is having it's media traffic matched.. Which should be technically firing this 2698 UDP traffic to a server.  (This is reverse direction then.. from the prior port of the app server).

Yet, once again, SOURCE-PORT is used to match.. ?

The whole firewall filter setups in Junos are stateless and not session based like security policies.  So you create the match conditions that make sense for the particular application.

a voip phone.. is having it's media traffic matched.. Which should be technically firing
 this 2698 UDP traffic to a server.  (This is reverse direction then.. from the prior
port of the app server).

In this particular case you cite, the VOIP UDP stream uses a fixed port on the phone side and a random port range on the PBX side to make the stream connection.  Thus this filter also uses source port to correctly classify the traffic.