Switching

Expand all | Collapse all

EX 2200 firewall filter blocks everything

Jump to Best Answer
  • 1.  EX 2200 firewall filter blocks everything

    Posted 11-16-2017 00:03

     Hello.

    The task is allow traffic from hosts1 (192.168.1.5) to host2 (192.168.1.10) and block any other.

    When set filter

     

    firewall {
             family ethernet-switching {
                      filter Allow {
                               term term1 {
                               from {
                                        source-address {
                                        192.168.1.5/32;
                                        }
                                        destination-address {
                                        192.168.1.10/32;
                                        }
                               }
                               then accept;
                               }
                               term term2 {
                               from {
                                        source-address {
                                        192.168.1.10/32;
                                        }
                                        destination-address {
                                        192.168.1.5/32;
                                        }
                               }
                               then accept;
                               }
                      }
             }
    }

     

    on port 

    ge-0/0/5 {
           unit 0 {
                   family ethernet-switching {
                      filter {
                         input Allow;
                       }
                   }
              }
    }

     

    or on vlan, than all traffic drops.



  • 2.  RE: EX 2200 firewall filter blocks everything

    Posted 11-16-2017 01:23

    That is the nature of the firewall filters.

     

    "If none of the filters match the traffic, it then applies the default action.

    Note: Bydefault, each firewall filter ends with an implicit deny-all term. The final default action is to discard all packets. The packets that do not match any of the configured match conditions in a firewall filter are silently discarded."

     

    Pl refer the kb fyr.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB13057

     

    Hence, based your configuration, it works as expected.

     

    Apart from host to host communication, any other traffic if you would like to allow, then you will have to explicity permit it..Otherwise it will hit the default-deny term which is happening currently.

     



  • 3.  RE: EX 2200 firewall filter blocks everything
    Best Answer

    Posted 11-16-2017 03:01

    Hello,

    Since this is "family ethernet-switching" filter, it inspects ARP as well but You haven't got a permit term for ARP.

    Hence all Your ARP requests even for permitted hosts hit an implicit deny term.

    Your filter should look like:

    firewall {
             family ethernet-switching {
                      filter Allow {
                               term term1 {
                               from {
                                        source-address {
                                        192.168.1.5/32;
                                        }
                                        destination-address {
                                        192.168.1.10/32;
                                        }
                               }
                               then accept;
                               }
                               term term2 {
                               from {
                                        source-address {
                                        192.168.1.10/32;
                                        }
                                        destination-address {
                                        192.168.1.5/32;
                                        }
                               }
                               then accept;
                               }
                               term term3 {
                               from {
                                        ether-type arp;
                                }
                               then accept;
                               }
                      }
             }
    }

    HTH

    Thx

    Alex



  • 4.  RE: EX 2200 firewall filter blocks everything

    Posted 11-16-2017 17:45

    Excellent!

    It works. I puzzled over this problem for a long time.  Thanks a lot.