Forum Discussion
Gburn_124136
Nimbostratus
NimbostratusCan't define Packet filter port ranges
We tried:
dst portrange x:y
dst portrange x-y
tcp portrange x:y
tcp portrange x-y
port x:y
port x-y
Nada. Gui rejects them all.
StephanManthey
Nacreous
NacreousIt seems to work in v11.6.0HF6.
For limiting access to a GTMs self IPs (*.11) and listeners (*.10) the following set of filters (range required to permit traceroute to both self IP and listener) was used: tmsh -q -c 'list net packet-filter; list net packet-filter-trusted; list sys db packetfilter.*'
net packet-filter filter_dnsquery_in {
action accept
order 5
rule "( ( ip proto UDP or ip6 proto UDP ) or ( ip proto TCP or ip6 proto TCP ) ) and ( dst host 10.10.1.10 ) and ( dst port 53 )"
vlan vlan_external
}
net packet-filter filter_icmp_in {
action accept
order 20
rule "( ( ip proto ICMP or ip6 proto ICMP ) ) and ( dst host 10.10.1.10 or dst host 10.10.1.11 )"
vlan vlan_external
}
net packet-filter filter_iquery_in {
action accept
order 10
rule "( ( ip proto TCP or ip6 proto TCP ) ) and ( src host 10.10.2.11 or src host 10.10.3.11 ) and ( dst host 10.10.1.11 ) and ( dst port 4353 or dst port 22 )"
vlan vlan_external
}
net packet-filter filter_traceroute_in {
action accept
order 15
rule "( ( ip proto UDP or ip6 proto UDP ) ) and ( dst host 10.10.1.10 or dst host 10.10.1.11 ) and ( dst portrange 33434-33534 )"
vlan vlan_external
}
net packet-filter-trusted { }
sys db packetfilter.allow.arp {
value "enable"
}
sys db packetfilter.allow.important.icmp {
value "enable"
}
sys db packetfilter.defaultaction {
value "discard"
}
sys db packetfilter.defaultlog {
value "disable"
}
sys db packetfilter.established {
value "disable"
}
sys db packetfilter.sendicmperrors {
value "disable"
}
Thanks, Stephan
