Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Firewall filter to accept traffic from tcp, udp except destined for ssh/telnet

    Posted 01-09-2018 09:23

    Hey all

    I need to configure firewall filter to accept traffic from a customized range of  TCP/UDP ports except destined to port ssh/telnet from source 192.168.1.0/25.

    How do I define customised range like an address book in srx

     



  • 2.  RE: Firewall filter to accept traffic from tcp, udp except destined for ssh/telnet
    Best Answer

     
    Posted 01-09-2018 09:58
    Hi Folks,
    Just my 2 cents on this,
    
    1. Block the content you dont want exclusively, like source-address + protocol tcp + port telnet/ssh
    
    [edit]
    labroot# show firewall family inet filter cust | display set              
    set firewall family inet filter cust term 1 from source-address 192.168.1.0/25
    set firewall family inet filter cust term 1 from protocol tcp
    set firewall family inet filter cust term 1 from destination-port telnet
    set firewall family inet filter cust term 1 from destination-port ssh
    set firewall family inet filter cust term 1 then log
    set firewall family inet filter cust term 1 then discard
    
    2. Allow what you want with range command destination-port range
    
    [edit]
    labroot# set firewall family inet filter cust term 2 from protocol tcp                  
    
    [edit]
    labroot# set firewall family inet filter cust term 2 from destination-?              
    Possible completions:
    > destination-address  Match IP destination address
    + destination-class    Match destination class
    + destination-class-except  Do not match destination class
    + destination-port     Match TCP/UDP destination port
    + destination-port-except  Do not match TCP/UDP destination port
    > destination-prefix-list  Match IP destination prefixes in named list
    [edit]
    labroot# set firewall family inet filter cust term 2 from destination-port?  
    Possible completions:
    + destination-port     Match TCP/UDP destination port
    + destination-port-except  Do not match TCP/UDP destination port
    [edit]
    labroot# set firewall family inet filter cust term 2 from destination-port ? 
    Possible completions:
      <range>              Range of values
      
    Example:
    Working One:
                term UDP_trace {
                    from {
                        protocol udp;
                        destination-port 33434-33534;
                    }
                    then {
                        policer udppolicer;
                        count trace;
                        accept;
                    }
                }
    
    Followed by desired drop allow; with a default drop action
    
    


  • 3.  RE: Firewall filter to accept traffic from tcp, udp except destined for ssh/telnet

    Posted 01-14-2018 04:13

    @Python. 

    Dear i have applied the said commands but i want to apply an exception , like want to give a subnet that can access the switch layer 3 gateway.



  • 4.  RE: Firewall filter to accept traffic from tcp, udp except destined for ssh/telnet

     
    Posted 01-14-2018 04:55

    Hi Ahmed-netsec,

    It’s much simple… You MUST always allow what you know/want exclusively and block the rest…

     

    Term 1 – Allow the IP for Interested Specific Subnet [Genuine] for TCP/UDP

     

    Sample: Allow all Trusted IP TTL,

     

                term TTL=1 {

                    from {

                        source-prefix-list {

                            Infra;

                        }

                        protocol udp;

                        ttl 1;

                        destination-port 33434-33523;

                    }

                    then {

                        policer 25k_drop;

                        accept;

                    }

                }

     

    Term 2 – Drop the rest of the traffic for any IP

     

    Last Term:

                term DENY_R {

                    then {

                        count deny_others;

                        log;

                        syslog;

                        discard;

                    }

                }