Configuring Default Reject Rules for Cases of Mismatch Between Packet Source IP and Network Reachability Information of Receiving Interface
When the source address does not belong to the networks associated with the network interface where the network packet was received, then use the following configuration.
-
For IPv4, configure a filter to drop and log network traffic when the source IP address of the packet does not match the network reachability information of the TOE interface.
set firewall family inet filter src-addr-nw term allow from source-address 10.1.9.0/24 set firewall family inet filter src-addr-nw term allow then log set firewall family inet filter src-addr-nw term allow then accept set firewall family inet filter src-addr-nw term deny then log set firewall family inet filter src-addr-nw term deny then discard
Note:In this case the network 10.1.9.0/24 is reachable through interface ge-1/0/1, so the above filter was created to drop any packets with source IP not belonging to the 10.1.9.0/24 subnet.
Apply the filter to the TOE’s interface:
set interfaces ge-1/0/1 unit 0 family inet filter input src-addr-nw
-
For IPv6, configure a filter to drop and log network traffic when the source IP address of the packet does not match the network reachability information of the TOE interface.
set firewall family inet6 filter src-addr-nw term allow from source-address 2001:db8:1:9::/64 set firewall family inet6 filter src-addr-nw term allow then log set firewall family inet6 filter src-addr-nw term allow then accept set firewall family inet6 filter src-addr-nw term deny then log set firewall family inet6 filter src-addr-nw term deny then discard
Note:In this case the network 2001:db8:1:9::/64 is reachable through interface ge-1/0/1, so the above filter was created to drop any packets with source IP not belonging to the 2001:db8:1:9::/64 subnet
Apply the filter to the TOE’s interface.
set interfaces ge-1/0/1 unit 0 family inet6 filter input src-addr-nw