Hi all,
I'm trying to understand how outbound filters work when applied to an interface, in this case ge-0/0/14.0. The filter below works I'm just confused how.
Scenario
- Client from 10.2.20.0/24 range connects to the Proxy Server on 172.16.0.10:3128
- Proxy Server connects to 10.2.20.6 for DNS lookup
- Proxy Server requests http or https
Question
For the term proxy-to-dns why isn't Source Address 172.16.0.10 and the destination 10.2.20.6 (Port domain) since the Proxy Server (172.16.0.10) is communicating with the the DNS (10.2.20.6)?
Filter (visual)
Filter
filter DMZ-out {
term proxy-clients {
from {
source-address {
10.2.20.0/24;
}
destination-address {
172.16.0.10/32;
}
destination-port [ 3128 ssh ];
}
then accept;
}
term proxy-to-dns {
from {
source-address {
10.2.20.6/32;
}
destination-address {
172.16.0.10/32;
}
source-port domain;
}
then accept;
}
term proxy-to-web {
from {
destination-address {
172.16.0.10/32;
}
source-port [ http https ];
}
then accept;
}
}
Applied to interface
ge-0/0/14 {
unit 0 {
description DMZ;
family inet {
filter {
output DMZ-out;
}
address 172.16.0.254/24;
}
}
}