The following example worked great in our MX240's and older M7i's. This will also work in SRX's but I have no way to affirm this.
1) Create the Prefix-Lists inside 'policy-options'
edit policy-options prefix-list block-Manual set a.b.c.d/CIDR up annotate prefix-list block-Manual "Manual Block List" edit policy-options prefix-list block-spamhaus-edrop set a.b.c.d/CIDR [...] set w.x.y.z/CIDR up annotate prefix-list block-spamhaus-edrop "http://www.spamhaus.org/drop/edrop.txt"You'll need to add the nets you want to block to each prefix list (I've created separate lists on purpose) but this should roughly give you:
[edit policy-options] /* Manual Block List */ prefix-list block-Manual { set a.b.c.d/CIDR; } /* http://www.spamhaus.org/drop/edrop.txt */ prefix-list block-spamhaus-edrop { a.b.c.d/CIDR; w.x.y.z/CIDR; }I'm also using the drop list from SpamHaus but at 500+ lines felt it was of no use in this article, however simply create another prefix list, annotate it according and fill it with the contents of http://www.spamhaus.org/drop/drop.txt
2) Create a filter in the firewall
set firewall family inet filter blocked-IP term 1 from prefix-list block-Manual set firewall family inet filter blocked-IP term 1 then discard set firewall family inet filter blocked-IP term 2 from prefix-list block-spamhaus-edrop set firewall family inet filter blocked-IP term 2 then discard set firewall family inet filter blocked-IP term 99 then accept...and this gives you:
filter blocked-IP { term 1 { from { prefix-list { block-Manual; } } then { discard; } } term 2 { from { prefix-list { block-spamhaus-edrop; } } then { discard; } } term 99 { then accept; } }3) Apply to an interface
family inet { filter { input blocked-IP; output blocked-IP; } }...and thats all there is to it. Just keep adding new prefix lists (if you want to keep them logically separate) and then add them as terms to the filter ensuring term 99 (accepting traffic) is always last.
No comments:
Post a Comment