SRX

Expand all | Collapse all

Firewall Filter Issues - Allow DHCP but block RFC1918 SRX100

Jump to Best Answer
  • 1.  Firewall Filter Issues - Allow DHCP but block RFC1918 SRX100

    Posted 03-30-2017 07:53

    Hi All,

     

    I want to segregate vlan 90 from the rest of my network so it can't access any private addresses except 1 which is 192.168.45.1. This vlan will be use for payments so it needs to be PCI compliant and that address is the payment server.

     

    I also want to run a DHCP server so that handheld payment devices can be assigned addresses dynamically.

     

    With the config I've applied which I'll paste below, DHCP works fine however I'm able to ping other private subnets at other sites when I source traffic from the gateway:

     

     

    E.g. I'm able to get a response from 192.168.46.254, 10.128.22.254 etc.. when sourcing from 10.128.92.254

     

    Here is my relevant config:

     

    set interfaces fe-0/0/0 vlan-tagging
    set interfaces fe-0/0/1 unit 90 vlan-id 90
    set interfaces fe-0/0/1 unit 90 family inet filter input REJECT_RFC1918_IN
    set interfaces fe-0/0/1 unit 90 family inet filter output REJECT_RFC1918_OUT
    set interfaces fe-0/0/1 unit 90 family inet address 10.128.92.254/24

    set policy-options prefix-list RFC_1918 10.0.0.0/8
    set policy-options prefix-list RFC_1918 172.16.0.0/12
    set policy-options prefix-list RFC_1918 192.168.0.0/16

    set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from protocol udp
    set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from port 67
    set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from port 68
    set firewall family inet filter REJECT_RFC1918_IN term allow-UDP then accept
    set firewall family inet filter REJECT_RFC1918_IN term allow-specific from destination-address 192.168.45.1/32
    set firewall family inet filter REJECT_RFC1918_IN term allow-specific then accept
    set firewall family inet filter REJECT_RFC1918_IN term deny from destination-prefix-list RFC_1918
    set firewall family inet filter REJECT_RFC1918_IN term deny then discard
    set firewall family inet filter REJECT_RFC1918_IN term allow then accept
    set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from protocol udp
    set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from port 67
    set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from port 68
    set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP then accept
    set firewall family inet filter REJECT_RFC1918_OUT term allow-specific from source-address 192.168.45.1/32
    set firewall family inet filter REJECT_RFC1918_OUT term allow-specific then accept
    set firewall family inet filter REJECT_RFC1918_OUT term deny from source-prefix-list RFC_1918
    set firewall family inet filter REJECT_RFC1918_OUT term deny then discard
    set firewall family inet filter REJECT_RFC1918_OUT term allow then accept

     

    Please kindly advise if I've done the firewall filter wrong.

     

    Thanks a bunch!



  • 2.  RE: Firewall Filter Issues - Allow DHCP but block RFC1918 SRX100

     
    Posted 03-30-2017 08:28

    Hello ,

     

    When you try to ping those destination from source 10.128.92.254 , it will hit the out filter and the deny rule have only sourec address to match . So it never hits that and only hits the default rule to allow .

     

    So my suggestion will be to have a single filter with all these rule sets and configure them as both input and output filter  .

     

    set firewall family inet filter REJECT_RFC1918 term allow-UDP from protocol udp
    set firewall family inet filter REJECT_RFC1918 term allow-UDP from port 67
    set firewall family inet filter REJECT_RFC1918 term allow-UDP from port 68
    set firewall family inet filter REJECT_RFC1918 term allow-UDP then accept
    set firewall family inet filter REJECT_RFC1918 term allow-specific from destination-address 192.168.45.1/32
    set firewall family inet filter REJECT_RFC1918 term allow-specific then accept

    set firewall family inet filter REJECT_RFC1918 term allow-specific from source-address 192.168.45.1/32
    set firewall family inet filter REJECT_RFC1918 term allow-specific then accept

    set firewall family inet filter REJECT_RFC1918 term deny-1 from destination-prefix-list RFC_1918
    set firewall family inet filter REJECT_RFC1918 term deny-1 then discard

    set firewall family inet filter REJECT_RFC1918 term deny-2 from source-prefix-list RFC_1918
    set firewall family inet filter REJECT_RFC1918 term deny-2 then discard

    set firewall family inet filter REJECT_RFC1918 term allow then accept

     

     

    make sure to do a commit confirm to test this before implementation.



  • 3.  RE: Firewall Filter Issues - Allow DHCP but block RFC1918 SRX100
    Best Answer

    Posted 04-05-2017 06:37

    Thanks for your feedback!

     

    What I ended up doing was just having an input filter which seemed to solve the issue.