SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Creating a Firewall Filter

    Posted 12-03-2013 12:09

    Hi,

     

       I am creating a a firewall filter to block certain protocols and allow others. What I want to know is there a difference between two firewall filters I created below? Would they both accompish the same goal? And since the both filter does not specify a "family type" does this filter defaut to "family inet". Thank you

     

    root@Juniper1# show
    family inet {
    filter ALLOW_TELNET {
    term 1 {
    from {
    protocol tcp;
    port telnet;
    }
    }
    term BLOCK_EVERY {
    then {
    reject;
    }


    }

     


    filter ALLOW_TELNET {
    term 1 {
    from {
    protocol tcp;
    port telnet;
    }
    then accept;
    }
    term BLOCK_EVERY {
    then {
    reject;
    }
    }


    #SRX
    #routing
    #firewall
    #filter


  • 2.  RE: Creating a Firewall Filter

    Posted 12-03-2013 22:29

    Hi Victor,

     

    Looking at the 2 filters , action is missing for the first term in first policy so it would get dropped.

     

    so the second firewall filter should work.

     

    Following article takes about actions and protocol family action.

     

    https://www.juniper.net/techpubs/en_US/junos12.2/topics/reference/general/firewall-filter-actions-terminating.html

     

    (Click the "Star" for Kudos if you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

     

    Regards,
    rparthi



  • 3.  RE: Creating a Firewall Filter
    Best Answer

    Posted 12-04-2013 05:15

    Hi , raparthi i would disagree with you, when firewall start evaluation it will first check match condition in from clause if all conditions are met then it will perform action defined under then clause , if no then clause is defined and all conditions in from clause are met then default action i.e.... Accept will be applicable .

    Reference links

      http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/firewall-filter-stateless-evaluate-packets.html

      http://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

     

    Now coming to original question

     

    (question part 2 "And since the both filter does not specify a "family type" does this filter default to "family inet" answer comes first)

    The family family-name statement is required only to specify a protocol family other than IPv4. To configure an IPv4 firewall filter, you can configure the filter at the [edit firewall] hierarchy level without including the family inet statement, Because the [edit firewall] and [edit firewall family inet] hierarchy levels are equivalent

     

    (Now question part1 answer "is there a difference between two firewall filters") The answer is no , there is no difference in two filters you created. When family is not defined it is always family inet , in first filter you did not specify then clause it does not matter , if all condition in from clause are met then default action "permit" is applied .

     

     

    Pleas mark this as accepted solution if it solves your problem

    Kudos a good way of appreciation

     

    Kashif Nawaz

    JNCIP-Sec , JNCIS-Ent, JNCIS-Sec, JNCIA-Junos