SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Filters questions

    Posted 10-06-2019 10:27

    Im particularly interested in knowing if the terms are proper?

    Each element has an accept and reject. Should it have one accept

    at the end for the whole filter? Will dropping the ipv6 traffic kill my

    connection? My connection is being dropped.

     

    Comments are appriciated.

     

    firewall {
    filter sipfilter {
        term 1 {
            from {
                port 5060-5061;
            }
            then {
                reject;
            }
        }
        term 2 {
            then accept;
        }
    }
    filter pack-filter1 {
        term 1 {
            from {
                port 5060-5061;
            }
            then {
                reject;
            }
        }
        term 2 {
            then accept;
        }
        term 3 {
            from {
                prefix-list {
                    ipv62601;
                }
            }
            then {
                reject;
            }
        }
        term 4 {
            then accept;
        }
        term 5 {
            from {
                prefix-list {
                    ipv62001;
                }
            }
            then {
                reject;
            }
        }
        term 6 {
            then accept;
        }
    }
    filter pack-filter2 {
        term 1 {
            from {
                port 5060-5061;
            }
            then {
                reject;
            }
        }
        term 2 {
            then accept;
        }
        term 3 {
            from {
                prefix-list {
                    ipv62601;
                }
            }
            then accept;
        }
    }
}

     



  • 2.  RE: Filters questions
    Best Answer

    Posted 10-06-2019 10:45
    Since term2 doesn't have a match condition, it will match and allow all the traffic and remaining terms are useless. I think your filter should be "family inet6" as you are working with ipv6 traffic.


  • 3.  RE: Filters questions

    Posted 10-06-2019 14:40

    Each element has an accept and reject. Should it have one accept

    at the end for the whole filter?

    All terms in a multi term list are processed in order.  Thus if you have an accept or reject all term processing of that filter will stop at that point.  So these final accept or reject all terms are used only once and in the very last term position only.

     

    Will dropping the ipv6 traffic kill my connection?

    That would depend on the necessity of ipv6 for any particular use or application.

     

    But it seems like you are trying to apply ipv6 terms in an ipv4 filter.  Remember that you configure both interfaces and firewall filters with a family hierarchy.  So ipv4 interfaces and filters are set at family inet and ipv6 filters and interfaces are configured under family inet6.

     



  • 4.  RE: Filters questions

    Posted 10-08-2019 06:32
    I did in fact use the inet and inet6 statements. That seems to have been my issue all along.

    Problem solved.