We need to make some modifications to the "make discard" behavior, especially given how the NOC staff uses this information.
This is the current syntax as displayed by check_access (match conditions trimmed down to try and keep this short)::
term permit_ftp {
/* trigger: make discard */
/* Allow FTP */
/* trigger: altered from accept for display purposes */
from {
destination-address {
25.18.14.0/26;
}
protocol tcp;
destination-port [ 20-21 1024-65535 ];
}
then {
discard;
}
}
And of course the action is actually "accept" on the routers, but modified for the purpose of access checkes within the ACL.
Consider one of the following changes, in order of descending preference.
Ideally, would like to leave the action unchanged (continue to display as accept) and strike the "altered from accept for display purposes" syntax. Understand this may well be impossible to do and retain the rest of the make discard behavior, and almost certainly would be most difficult. So...
Change the "altered from accept for display purposes" to "!!!! Action is NOT DISCARD. Probably is accept but check the router to confirm!!!!" and insert this immediately beneath the discard action. I assume here that make discard will work with actions other than permit, but if not then could change the wording to reflect that the action is certainly accept.
If you can't do this, then leave the additional syntax where it is but change the syntax as above.
We need to make some modifications to the "make discard" behavior, especially given how the NOC staff uses this information.
This is the current syntax as displayed by check_access (match conditions trimmed down to try and keep this short)::
And of course the action is actually "accept" on the routers, but modified for the purpose of access checkes within the ACL.
Consider one of the following changes, in order of descending preference.