SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Block ICMP Interface Specific - Packet Mode

    Posted 10-04-2017 17:41

    Hello all, 

     

    I am trying to prevent my SRX340 (which is in packet mode) from responding to ICMP on a per-interface basis with the firewall family feature set. 

     

    I am able to create and apply rules that block ICMP entirely on an interface, and any traffic that flows through it, and I am also able to block ICMP responses for a specific destination address, but I don't know how to apply it to an interface (without specifying the address) and NOT have it block in-transit ICMP that is passing through that interface originated on one side or the other. 

     

    I would like to create a rule that I can slap on an interface just to block that interface or unit number from giving an echo-reply, but not prevent ICMP from passing through. 

     

    Can anyone lead me in the right direction? Would also like to know how to hide the hop from a trace route if required, but perhaps that is another question... 

     



  • 2.  RE: Block ICMP Interface Specific - Packet Mode
    Best Answer

     
    Posted 10-04-2017 20:33
    You may use "apply-path" option to achieve this. Below given is a sample config used to block all ICMP traffic destined to any IP address on SRX.


    root@Router-3# show policy-options | display set
    set policy-options prefix-list SRX-Interface-IPs apply-path "interfaces <*> unit <*> family inet address <*>" ===> This config will include all IP address configured on SRX

    [edit]
    root@Router-3# show firewall | display set
    set firewall family inet filter Block-ICMP-To-SRX term 1 from destination-prefix-list SRX-Interface-IPs ===> Used the above prefix-list as destination address on filter
    set firewall family inet filter Block-ICMP-To-SRX term 1 from protocol icmp
    set firewall family inet filter Block-ICMP-To-SRX term 1 from icmp-type echo-request
    set firewall family inet filter Block-ICMP-To-SRX term 1 then discard
    set firewall family inet filter Block-ICMP-To-SRX term 2 then accept

    [edit]
    root@Router-3#


    Below given is the verification:

    root@Router-3# show policy-options | display inheritance
    prefix-list SRX-Interface-IPs {
    ##
    ## apply-path was expanded to:
    ## 2.2.2.0/24;
    ## 1.1.1.0/24;
    ##
    apply-path "interfaces <*> unit <*> family inet address <*>";
    }

    [edit]
    root@Router-3#

    Ref: https://kb.juniper.net/InfoCenter/KB29448


  • 3.  RE: Block ICMP Interface Specific - Packet Mode

    Posted 10-05-2017 16:38

    Thanks for the reply! 

     

    I have added the config as you provided however I am still seeing ping responses from all interfaces? Does it need to be applied to a specific interface to become active? 

     

    Also, in the verification for the apply-path I am seeing every subnet attached to an interface. Will this filter block every address that is within the apply-path, or only those attached to interfaces? I don't want to block everything, just the addresses on specific interfaces. 

     

    Thanks



  • 4.  RE: Block ICMP Interface Specific - Packet Mode

     
    Posted 10-05-2017 19:06

    you need to apply the filter to loopback interface. It will match IP address only, not the subnet.



  • 5.  RE: Block ICMP Interface Specific - Packet Mode

    Posted 10-05-2017 19:10

    Ok, I think I have it now. 

     

    I applied the filter to lo0 inbound and it is working as intended. 

     

    Can you clarify my understanding that applying such filters to the loopback interface only affect those services when it is involving the router/routing engine itself, and not prevent the passage of them through the router? 

     

    I would like to block SSH to all ports except the management port, can I assume that doing so (and excluding the management port from the filter) will allow me to still ssh through the router to another device after the connection travels through the SRX? 



  • 6.  RE: Block ICMP Interface Specific - Packet Mode

    Posted 10-05-2017 19:39

    This is what I ended up with: 

     

    family inet {
        filter Block-ICMP-to-SRX {
            term term0 {
                from {
                    source-address {
                        172.20.20.0/24;
                    }
                }
                then accept;
            }
            term term1 {
                from {
                    destination-prefix-list {
                        SRX-Interface-IPs;
                    }
                    protocol icmp;
                    icmp-type echo-request;
                }
                then {
                    discard;
                }
            }
            term term2 {
                from {
                    protocol tcp;
                    destination-port [ ssh telnet ];
                }
                then {
                    discard;
                }
            }
            term term3 {
                then accept;
            }
        }
    }
    

     

    Thanks for the help, I'll mark your solution as correct. 

     

    Cheers!