Routing
Reply
Trusted Contributor
SapphireNET
Posts: 154
Registered: ‎03-27-2008
0
Accepted Solution

IPv6 Firewall Filters

Hi all

 

we are preparing for a dual stack deployment of IPv4/IPv6 and are in the process of converting some IPv4 firewall filters into their IPv6 equivilent.

 

my question is how do I do something like:

 

term T1{

  match {

     source-address x/x;

     protocol tcp;

     port 22;

  }

  then{

    permit;

  }

}

 

The protocol keyword doesnt seem to be available in the IPv6 filter?  Yet as far as I am aware TCP and UDP both run as normal on top of IPv6?

 

ideas?

JNCIS-M, JNCIS-SEC
Trusted Contributor
dsinn
Posts: 23
Registered: ‎10-16-2008
0

Re: IPv6 Firewall Filters

[ Edited ]

This is because there isn't a protocol identifier in the IP part of IPv6, just a next-header pointer.  Therefore the firewall filter operates on looking for the appropriate next-header:
term ssh {
    from {
        source-prefix-list {
            inet6-mgmt-hosts;
        }
        next-header tcp;
        port ssh;
    }
    then accept;
}
Hope that helps!
David

 

 

This is because there isn't a protocol identifier in the IP part of IPv6, just a next-header pointer.  Therefore the firewall filter operates on looking for the appropriate next-header:


term ssh {

    from {

        source-prefix-list {

            inet6-mgmt-hosts;

        }

        next-header tcp;

        port ssh;

    }

    then accept;

}


Hope that helps!
David

Trusted Contributor
SapphireNET
Posts: 154
Registered: ‎03-27-2008
0

Re: IPv6 Firewall Filters

thank you very much

 

that makes perfect sense.

JNCIS-M, JNCIS-SEC
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.