vSRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Why isn't this Firewall filter working?

  • 1.  Why isn't this Firewall filter working?

    Posted 02-16-2021 21:33

    I've got this applied to an interface that has an IP address of 10.4.2.17/29

    However, I can still SSH to .18 from a subnet other than the .238 subnet. 

    what do I have wrong? 


    term A {
        from {
            source-address {
                192.168.238.32/32;
            }
            destination-address {
                10.4.2.16/29;
            }
            destination-port [ ssh https ];
        }
        then accept;
    }
    term B {
        from {
            source-address {
                0.0.0.0/0;
            }
            destination-address {
                10.4.2.16/29;
            }
            destination-port [ ssh https ];
        }
        then {
            discard;
        }
    }
    term C {
        then accept;


  • 2.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 02:58
    In which direction have you applied the firewall filter? From what I understand of your requirements it should be applied in the outbound direction (firewall family inet filter output <filter-name>).

    ------------------------------
    --
    Jonas Hauge Klingenberg - Juniper Ambassador
    ------------------------------



  • 3.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 07:37

    Well you just put my brain in a pretzel!

    why would that be outbound?

    the flow would start from outside the interface and destination (10.4..x.x) would be inside said interface. 




  • 4.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 08:29

    Oh duh. 


    it can't apply an acl until it knows what the traffic is destined!




  • 5.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 08:21
    Firewall filters are seen from the router point of view.

    Example: traffic received on  ge-0/0/0.0 on a Junos device will be evaluated by  the "filter input <filter-name>" where traffic sent out of the interface is evaluated by the "filter output <filter-name>".

    In your case traffic is received on interface X and sent out on interface Y with an IP of 10.4.2.17/29... and with your provided filter, it has to be added on the output chain.


    ------------------------------
    --
    Jonas Hauge Klingenberg - Juniper Ambassador
    ------------------------------