vSRX

Expand all | Collapse all

Why isn't this Firewall filter working?

  • 1.  Why isn't this Firewall filter working?

    Posted 18 days ago

    I've got this applied to an interface that has an IP address of 10.4.2.17/29

    However, I can still SSH to .18 from a subnet other than the .238 subnet. 

    what do I have wrong? 


    term A {
        from {
            source-address {
                192.168.238.32/32;
            }
            destination-address {
                10.4.2.16/29;
            }
            destination-port [ ssh https ];
        }
        then accept;
    }
    term B {
        from {
            source-address {
                0.0.0.0/0;
            }
            destination-address {
                10.4.2.16/29;
            }
            destination-port [ ssh https ];
        }
        then {
            discard;
        }
    }
    term C {
        then accept;


  • 2.  RE: Why isn't this Firewall filter working?

    Posted 18 days ago
    In which direction have you applied the firewall filter? From what I understand of your requirements it should be applied in the outbound direction (firewall family inet filter output <filter-name>).

    ------------------------------
    --
    Jonas Hauge Klingenberg - Juniper Ambassador
    ------------------------------



  • 3.  RE: Why isn't this Firewall filter working?

    Posted 18 days ago

    Well you just put my brain in a pretzel!

    why would that be outbound?

    the flow would start from outside the interface and destination (10.4..x.x) would be inside said interface. 




  • 4.  RE: Why isn't this Firewall filter working?

    Posted 18 days ago
    Firewall filters are seen from the router point of view.

    Example: traffic received on  ge-0/0/0.0 on a Junos device will be evaluated by  the "filter input <filter-name>" where traffic sent out of the interface is evaluated by the "filter output <filter-name>".

    In your case traffic is received on interface X and sent out on interface Y with an IP of 10.4.2.17/29... and with your provided filter, it has to be added on the output chain.


    ------------------------------
    --
    Jonas Hauge Klingenberg - Juniper Ambassador
    ------------------------------



  • 5.  RE: Why isn't this Firewall filter working?

    Posted 18 days ago

    Oh duh. 


    it can't apply an acl until it knows what the traffic is destined!