From 7d9a928b78e46408988de6255bc9e807ae4551aef2a584f3e7e248c287e174e7 Mon Sep 17 00:00:00 2001
From: khodor <khedor@gmail.com>
Date: Thu, 2 Jan 2025 03:06:01 +0000
Subject: [PATCH] Add protect-re-dynamic-prefix-list

---
 protect-re-dynamic-prefix-list | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 protect-re-dynamic-prefix-list

diff --git a/protect-re-dynamic-prefix-list b/protect-re-dynamic-prefix-list
new file mode 100644
index 0000000..9e7bdc1
--- /dev/null
+++ b/protect-re-dynamic-prefix-list
@@ -0,0 +1,16 @@
+set interfaces lo0 unit 0 family inet filter input PROTECT_RE
+set interfaces lo0 unit 0 family inet6 filter input PROTECT_RE_V6
+
+set policy-options prefix-list BGP_PEERS_DYNAMIC apply-path "protocols bgp group <*> neighbor <*.*>"
+
+set firewall family inet filter PROTECT_RE term ALLOW_BGP from source-prefix-list BGP_PEERS_DYNAMIC
+set firewall family inet filter PROTECT_RE term ALLOW_BGP from protocol tcp
+set firewall family inet filter PROTECT_RE term ALLOW_BGP from destination-port bgp
+set firewall family inet filter PROTECT_RE term ALLOW_BGP then log
+set firewall family inet filter PROTECT_RE term ALLOW_BGP then accept
+set firewall family inet filter PROTECT_RE term BLOCK_BGP from protocol tcp
+set firewall family inet filter PROTECT_RE term BLOCK_BGP from destination-port bgp
+set firewall family inet filter PROTECT_RE term BLOCK_BGP then log
+set firewall family inet filter PROTECT_RE term BLOCK_BGP then discard
+set firewall family inet filter PROTECT_RE term DEFAULT then log
+set firewall family inet filter PROTECT_RE term DEFAULT then accept
\ No newline at end of file