Message Image  

Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Firewall filter, need a little help

    Posted 05-19-2019 16:15

    I am trying to set a firewall filter that blocks NTP traffic from all sources except one server on my campus which has an IP address of 10.121.125.101. The commands are below along with what the code looks like after that. When I did a commit confirmed I could not ping the EX4200 switch nor hit the J-Web interface. What am I missing?

     

    set interfaces lo0 unit 0 family inet address 127.0.0.1/32

    set firewall family inet filter ntp term allow-ntp from source-address 10.121.125.101

    set firewall family inet filter ntp term allow-ntp from source-address 127.0.0.1

    set firewall family inet filter ntp term allow-ntp from protocol udp

    set firewall family inet filter ntp term allow-ntp from source-port ntp

    set firewall family inet filter ntp term allow-ntp then accept

    set firewall family inet filter ntp term block-ntp from protocol udp

    set firewall family inet filter ntp term block-ntp from source-port ntp

    set firewall family inet filter ntp term block-ntp then discard

    set interfaces lo0 unit 0 family inet filter input ntp

     

    [edit interfaces]

    +   lo0 {

    +       unit 0 {

    +           family inet {

    +               filter {

    +                   input ntp;

    +               }

    +               address 127.0.0.1/32;

    +           }

    +       }

    +   }

    [edit]

    +  firewall {

    +      family inet {

    +          filter ntp {

    +              term allow-ntp {

    +                  from {

    +                      source-address {

    +                          10.121.125.101/32;

    +                          127.0.0.1/32;

    +                      }

    +                      protocol udp;

    +                      source-port ntp;

    +                  }

    +                  then accept;

    +              }

    +              term block-ntp {

    +                  from {

    +                      protocol udp;

    +                      source-port ntp;

    +                  }

    +                  then {

    +                      discard;

    +                  }

    +              }

    +          }

    +      }

    +  }



  • 2.  RE: Firewall filter, need a little help

    Posted 05-19-2019 16:25

    One last thing, the EX4200 I am working on is used for layer 2 only. All of our routing is done on a stack of EX4600s at the core of our network



  • 3.  RE: Firewall filter, need a little help

     
    Posted 05-19-2019 16:55
    You’re missing a final term to allow everything else through.

    set firewall family inet filter ntp term allow-everything-else then accept


  • 4.  RE: Firewall filter, need a little help

    Posted 05-19-2019 21:19

    I agree with Smicker, you need to allow everything else(add another term) at the end of the FF.

     

    When configuring FF, you need to know these 3 behaviors:

     

    If a term does not contain a from statement, the packet is considered to match and the action in the then statement of the term is taken.

    If a term does not contain a then statement, or if an action has not been configured in the then statement, and the packet matches the conditions in the from statement of the term, the packet is accepted.

    Every firewall filter contains an implicit deny statement at the end of the filter.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too! 🙂



  • 5.  RE: Firewall filter, need a little help

    Posted 05-20-2019 10:27

    Well that did the trick, I now have a filter that at least is not filtering all traffic out! I do have one more issue, the filter is not doing what I hoped it would. We are using Nessus to do some internal scanning. Before implementing the firewall filter we were seeing this

    The remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition.

     

    After putting in place the firewall filter, we are still getting the same thing. I was hoping any NTP request coming from Nessus would be discarded by the firewall filter and this vulnerability would be gone. Any ideas?



  • 6.  RE: Firewall filter, need a little help

    Posted 05-20-2019 15:09

    You ntp term needs to use destination port ntp instead of source port ntp.

     



  • 7.  RE: Firewall filter, need a little help

    Posted 05-20-2019 16:36

    Steve,

     

    I am not following you on this one. The EX4200 switch reaches out to my internal NTP server at 10.121.125.101 to get its time. Wouldn't the source of ntp traffic be 10.121.125.101? I got these firewall statements from several different articles on the web and all of them are structured with source address not destination

    https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&actp=METADATA

    http://sudomakeinstall.com/networking/juniper-ntp-and-protecting-the-routing-engine

    https://www.reddit.com/r/Juniper/comments/9r0cu3/locking_down_ex4200_ntp/

     

    The IP address of the switch itself is 10.121.6.30

     



  • 8.  RE: Firewall filter, need a little help
    Best Answer

    Posted 05-21-2019 03:10

    The vulnerabillty reported is that the switch is servicing as an ntp server so the requests that you need to block from the scanner will be the opposite of the filter you are applying.

     

    From your description, you are not using this as a ntp source as all so you won't need the allow term at all then just block inbound ntp requests and permit all else.

     



  • 9.  RE: Firewall filter, need a little help

    Posted 05-21-2019 10:07

    Steve,

    That worked, thanks for the clear explanation

    Dave



  • 10.  RE: Firewall filter, need a little help

    Posted 07-05-2020 10:22

    Hendorson ,

    Request you to share the configuration you have done to resolve this.