SRX

Hello everyone,

What would be the best method to set up a simple firewall rule for allowing established connections from the internet to a client machine?

I have done this in my old router firewall configs no problem, but with the SRX there are different concepts, namely firewall policies vs firewall filters.  In setting up firewall policies from the WAN to LAN zone, I don't see anything that just allows established connections back in.

Any insight would be most appreciated.

Thank you,

A.V.

set security nat destination pool esxi address 192.168.55.33/32

set security nat destination rule-set esxi from zone dmz
set security nat destination rule-set esxi from zone untrust
set security nat destination rule-set esxi rule esxi match source-address 0.0.0.0/0
set security nat destination rule-set esxi rule esxi match destination-address 172.27.102.38/32
set security nat destination rule-set esxi rule esxi then destination-nat pool esxi

set security policies from-zone dmz to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust-to-untrust match application any
set security policies from-zone dmz to-zone untrust policy trust-to-untrust then permit

these configue should help you get start.

this is the whole confirguration for you.  it works like following,  traffic from untrust zone towards to dmz zone.

with any source IP to  the interface's IP address of untruse zone (fe-0/0/0) and by openning tcp port 9900 for internal http server at tcp port 80 with IP address 172.27.103.2

set interfaces fe-0/0/0 unit 0 family inet address 192.168.17.254/24

set interfaces fe-0/0/1 unit 0 family inet address 172.27.103.2/24

 
set routing-options static route 0.0.0.0/0 next-hop 192.168.17.250

set security nat destination pool port9900 address 172.27.103.2/32
set security nat destination pool port9900 address port 80

set security nat destination rule-set port9900 from zone untrust
set security nat destination rule-set port9900 rule 1 match source-address 0.0.0.0/0
set security nat destination rule-set port9900 rule 1 match destination-address 192.168.17.254/32
set security nat destination rule-set port9900 rule 1 match destination-port 9900
set security nat destination rule-set port9900 rule 1 then destination-nat pool port9900

set security policies from-zone untrust to-zone dmz policy permit_9900 match source-address any
set security policies from-zone untrust to-zone dmz policy permit_9900 match destination-address int-9900
set security policies from-zone untrust to-zone dmz policy permit_9900 match application junos-http
set security policies from-zone untrust to-zone dmz policy permit_9900 then permit

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone dmz address-book address int-9900 172.27.103.2/32
set security zones security-zone dmz interfaces fe-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone dmz interfaces fe-0/0/1.0 host-inbound-traffic protocols all

So basically, with the trust to untrust policy, it's implicit that the established connections will be allowed back in?

With the trust to untrust policy, when traffic is initiated from a source A in trust zone to dest B in untrust, the return traffic belonging to the same session is implicitly allowed back from untrust to trust.

However, for traffic or a new session sourced from B to A, needs another policy from untrust to trust.

Hope this helps.

Thanks and Regards,

Pradeep kumar M