SRX

Expand all | Collapse all

Ping allowed to the proxy-arp addresses.

Jump to Best Answer
  • 1.  Ping allowed to the proxy-arp addresses.

    Posted 01-07-2010 13:31

    Hello, i have 3 public ip address that respond to echo request (ping) and i don't wan't to allow it. I don't have configured the host-inbound-traffic for the Zone neither for the interface, it only blocks the ping request that come to the ip address of the interface itself but not on the proxy-arp address defined in the security nat hierchie.

     

    # show security zones security-zone WAN


    interfaces {
        ge-0/0/3;
     }

     

    the ip address of the interface itself deny the ping request, but the others ip address doenst :(, any ideas?



  • 2.  RE: Ping allowed to the proxy-arp addresses.

    Posted 01-07-2010 15:36

    Hi

     

    You can use firewall filters and tie it to lo0 address. Here is sample from my setup:

     

    [edit]
    root@srxa07_29# show firewall
    family inet {
        filter test {
            term 1 {
                from {
                    destination-address {
                        <IP of the proxy-arp IP/32>;
                    }
                    protocol icmp;
                }
                then {
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
    }

     

    Then tie this filter onto the input for lo0:

    [edit]
    root@srxa07_29# show interfaces lo0
    unit 0 {
        family inet {
                filter {
                input test;
            }

     



  • 3.  RE: Ping allowed to the proxy-arp addresses.
    Best Answer

    Posted 01-08-2010 05:34

    That's what i did and it worked to me:

     

    ### I configured a firewall filter to block echo requests. ####

    firewall {
        family inet {

            filter Block-ping {
                   term block {
                        from {
                             icmp-type echo-request;
                    }
                       then {
                          discard;
                    }
                }
                    term default {
                    then accept;
                }
            }

        }

    }

     

    #### Then I applied the filter to the interface. ###

     

     ge-0/0/3 {
            unit 0 {
                family inet {
                    filter {
                        input Block-ping;
                    }

     address <my public ip address>/29;
                }
            }
        }

     

    Smiley Very Happy



  • 4.  RE: Ping allowed to the proxy-arp addresses.

    Posted 08-25-2017 08:30

    I know this is bringing up an old topic, but this was an issue I came across recently and this was about the only post I found from the Googles.

    I had some proxy-arp IP's responding, while others were not. From traceoptions I see that the IP's not responding were not repsonding because of a source nat pool. So in order to keep the other IP's from responding I created a source pool with the address. You don't need to place a source nat rule, just create the pool.

     

    Hope this helps others out in the future. 



  • 5.  RE: Ping allowed to the proxy-arp addresses.

    Posted 08-25-2017 18:24
    Dhcp carries ping too I think.