user@router> show configuration firewall family inet filter v4-in-loopback
term accept-bgp {
from {
source-prefix-list {
bgp-peers;
}
protocol tcp;
port bgp;
}
then accept;
}
user@router> show configuration policy-options prefix-list bgp-peers
apply-path "protocols bgp group <*> neighbor <*>";
This firewall filter will punch holes only for the configured BGP peers. So as you add new neighbors you simply add them to protocol>bgp>group and the FW filter will automatically be updated as well. Very handy and keeps things locked down tightly with minmum mangement overhead.
It will provide an additional layer of security to your security stanza configurations. Just remember that the FW filter will be processed before the security stanza configuration. So if you're troubleshooting BGP session problems you might need to add a counter and/or log function to the FW filter term.
NOTE: The FW filter shown will need additional terms or you'll break all other traffic trying to reach the RE. If you're managing all other access using the security stanza you can probably get away with an "allow all" FW filter term at the end.