I have a firewall filter applied to my loopback to lock down management traffic to the SRX. This works fine with no issues. I need to allow outbound DNS requests 'from' the firewall (the firewall is doing name resolution) I have seen previously you can do similar things with TCP traffic (ssh) where you use the tcp-established option to allow being able initiate to initiate ssh connections from the SRX to another device. I want to do the same thing for DNS requests (udp 53) How would I achieve the same thing? I want to have the policy as generic as possible so It can be rolled out to other devices so I don't want to specifiy the source IP (the loopback)
Any tips appreciated.
Normally the Loopback filter to lockdown management access works in "Input filter" and should not impact any traffic generated from the firewall to outside . Since DNS is generated from Firewall to outside , it will only check for any output filter on loopback/external interface . So this management filter should not cause any impact for DNS originated from the device .
If you are worried about the return packet from DNS server to the SRX , probebaly you can add a filter term to allow UDP 53 .
Thanks for clarifying, ye that makes sense. It defintely doesn't work with the filter applied but that's probably the return traffic being blocked like you say (mgmgt filters not stateful) The problem that I have is that if I allow it on the management filter then if anybody ever set the firewall was a DNS proxy then it would allow name resolution requests from the internet. That's why I'm hesitant to do that?
Understood . Other option which I can think of, is to have a source specificed for the name-server in SRX and allow that IP on the filter . So that the DNS proxy will be taking the loopback , and any host generated DNS will take the source IP mentioned .
set system name-server 126.96.36.199 source-address <ip.addr>
Yes that's an option also. I've been thinking about it and I might allow 'from' the specific DNS server IPs e.g. Cloudflare, that way it will only be allowing the return traffic from those name servers and then the filter will still be generic because the name server will be the same across all firewalls. Thanks for all your help and suggestions.
Thanks , If this helps , please make sure to post the results and make as solved for furture references .
set firewall filter mgmt-plane term DNS from source-prefix-list DNS-SERVERSset firewall filter mgmt-plane term DNS from protocol tcpset firewall filter mgmt-plane term DNS from protocol udpset firewall filter mgmt-plane term DNS from port domainset firewall filter mgmt-plane term DNS then accept
You can use something like :
set firewall filter Protect-RE term DNS from protocol udpset firewall filter Protect-RE term DNS from source-port 53set firewall filter Protect-RE term DNS then acceptset firewall filter Protect-RE term DNS-1 from protocol udpset firewall filter Protect-RE term DNS-1 from destination-port 53set firewall filter Protect-RE term DNS-1 then accept