Technical Documentation

Example: Blocking TCP Connections to a Certain Port Except from BGP Peers

Block all TCP connection attempts to port 179 from all requesters except the specified BGP peers:

[edit]firewall {family inet {filter bgp179 {term 1 {from {source-address {0.0.0.0/0;}source-prefix-list {bgp179 except;}destination-port bgp;}then {reject;}}term 2 {then {accept;}}}}}

Expand the prefix list bgp179 to include all BGP group neighbors:

[edit policy-options]prefix-list bgp179 {apply-path "protocols bgp group <*> neighbor <*>";}

Apply the filter bgp179 to interface lo0:

[edit interfaces lo0]unit 0 {family inet {filter {input bgp179;}address 10.0.0.1/32;}}

Published: 2010-04-15