maz
/
bgprtrmgr-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
BGP Router Manager templates for Voneus core and aggregation infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
0 Tags
91 KiB
Tree: 9882b515b5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9882b515b5'
${ noResults }
bgprtrmgr-templates/includes/junos-v21-core-router/firewall.j2

212 lines
6.7 KiB
Raw Blame History

{{ "firewall"|progress }} {
{%- set bgp_multihop_prefixes_v4 = [] %}
{%- set bgp_multihop_prefixes_v6 = [] %}
{%- for prefix in 'bgp-multihop'|get_netbox_tagged_prefixes %}
{%- if prefix|ipv4 %}{% do bgp_multihop_prefixes_v4.append( prefix ) %}
{%- elif prefix|ipv6 %}{% do bgp_multihop_prefixes_v6.append( prefix ) %}
{%- endif %}
{%- endfor %}
{%- set bgp_allowed_prefixes_v4 = [] %}
{%- set bgp_allowed_prefixes_v6 = [] %}
{%- for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %}
{%- if prefix|ipv4 %}{% do bgp_allowed_prefixes_v4.append( prefix ) %}
{%- elif prefix|ipv6 %}{% do bgp_allowed_prefixes_v6.append( prefix ) %}
{%- endif %}
{%- endfor %}
{%- set ldp_allowed_prefixes_v4 = [] %}
{%- set ldp_allowed_prefixes_v6 = [] %}
{%- for prefix in 'ldp-allowed'|get_netbox_tagged_prefixes %}
{%- if prefix|ipv4 %}{% do ldp_allowed_prefixes_v4.append( prefix ) %}
{%- elif prefix|ipv6 %}{% do ldp_allowed_prefixes_v6.append( prefix ) %}
{%- endif %}
{%- endfor %}
family inet {
filter control-plane-protection-IPv4 {
{% if bgp_multihop_prefixes_v4 %}
term allow-multihop-bgp {
from {
source-address {
{% for prefix in bgp_multihop_prefixes_v4 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endfor %}
}
protocol tcp;
port 179;
}
then {
accept;
}
}
{% endif %}
{% if bgp_allowed_prefixes_v4 %}
term allow-gtsm-bgp {
from {
protocol tcp;
source-address {
{% for prefix in bgp_allowed_prefixes_v4 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endfor %}
}
tcp-initial;
ttl 255;
port 179;
}
then {
accept;
}
}
term allow-established-bgp {
from {
protocol tcp;
source-address {
{% for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %}{% if prefix|ipv4 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endif %}{% endfor %}
}
tcp-established;
port 179;
}
then {
accept;
}
}
{% endif %}
term reject-bgp {
from {
protocol tcp;
port 179;
}
then {
reject tcp-reset;
}
}
{% if ldp_allowed_prefixes_v4 %}
term allow-ldp {
from {
source-address {
{% for prefix in ldp_allowed_prefixes_v4 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endfor %}
}
protocol tcp;
port 646;
}
then {
accept;
}
}
{% endif %}
term reject-ldp {
from {
protocol tcp;
port 646;
}
then {
reject tcp-reset;
}
}
term else {
then {
accept;
}
}
}
}
family inet6 {
filter control-plane-protection-IPv6 {
{% if bgp_multihop_prefixes_v6 %}
term allow-multihop-bgp {
from {
source-address {
{% for prefix in bgp_multihop_prefixes_v6 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endfor %}
}
next-header tcp;
destination-port 179;
}
then {
accept;
}
}
{% endif %}
{% if bgp_allowed_prefixes_v6 %}
term allow-gtsm-bgp {
from {
next-header tcp;
source-address {
{% for prefix in bgp_allowed_prefixes_v6 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endfor %}
}
hop-limit 255;
tcp-initial;
destination-port 179;
}
then {
accept;
}
}
term allow-established-bgp {
from {
next-header tcp;
source-address {
{% for prefix in bgp_allowed_prefixes_v6 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endfor %}
}
tcp-established;
destination-port 179;
}
then {
accept;
}
}
{% endif %}
term reject-bgp {
from {
next-header tcp;
destination-port 179;
}
then {
reject tcp-reset;
}
}
{% if ldp_allowed_prefixes_v6 %}
term allow-ldp {
from {
next-header tcp;
source-address {
{% for prefix in ldp_allowed_prefixes_v6 %}
{{ prefix }}; /* {{ prefix.description }} */
{% endfor %}
}
destination-port 646;
}
then {
accept;
}
}
{% endif %}
term reject-ldp {
from {
next-header tcp;
destination-port 646;
}
then {
reject tcp-reset;
}
}
term else {
then {
accept;
}
}
}
}
}