Switching

Expand all | Collapse all

Juniper firewall filter config help required

Jump to Best Answer
  • 1.  Juniper firewall filter config help required

    Posted 03-11-2019 08:29

    Hi I want to define a firewall filter on our Juniper Router . Can you tell me what would be the configuration for that ? . My requirment is it should allow access from  Source IP address subnet is 215.195.67.0/22 for TCP ports 443 and 22, bi-directionally.

     

    Thanks 



  • 2.  RE: Juniper firewall filter config help required
    Best Answer

    Posted 03-11-2019 09:07

    The given ip address range 215.195.67.0/22 is part of 215.195.64.0/22. You have to youe either complete network 215.195.64.0/22 or just 215.195.67.0/24 network depends on your requirement.

     

    set firewall family inet filter RE-PROTECT term MGMT from source-address 215.195.64.0/22
    set firewall family inet filter RE-PROTECT term MGMT from protocol tcp
    set firewall family inet filter RE-PROTECT term MGMT from port ssh
    set firewall family inet filter RE-PROTECT term MGMT from port https
    set firewall family inet filter RE-PROTECT term MGMT then accept

    set interfaces lo0 unit 0 family inet filter input RE-PROTECT

     



  • 3.  RE: Juniper firewall filter config help required

     
    Posted 03-11-2019 11:17

    Make sure you allow any other protocols needed. When you apply a firewall filter to the loopback interface you are filtering traffic going to the routing engine.  The default action of every firewall filter is DISCARD, so any other protocol, (for instance OSPF, SNMP, or BGP) needed by your router to exhange information with other routers, or for management will be discarded.  What you can do is add a couple of more terms to the filter recommeded by Nellikka. 

    ### Term MGMT1 accepts SSH, or HTTPS only from source-address 215.195.64.0/22

    set firewall family inet filter RE-PROTECT term MGMT1 from source-address 215.195.64.0/22
    set firewall family inet filter RE-PROTECT term MGMT1 from protocol tcp
    set firewall family inet filter RE-PROTECT term MGMT1 from port ssh ## this matches both src. and dest. port number
    set firewall family inet filter RE-PROTECT term MGMT1 from port https
    set firewall family inet filter RE-PROTECT term MGMT1 then accept

     

    ### Term MGMT2 rejects  SSH, or HTTPS from any other source address.

    set firewall family inet filter RE-PROTECT term MGMT2 from protocol tcp
    set firewall family inet filter RE-PROTECT term MGMT2 from port ssh
    set firewall family inet filter RE-PROTECT term MGMT2 from port https
    set firewall family inet filter RE-PROTECT term MGMT2 then reject

     

    ### Term MGMT3 accepts everything else (OSPG, BGP, SNMP, or any other protocols needed by your router)

    set firewall family inet filter RE-PROTECT term MGMT3 then accept

     

    You can also add more terms as needed, to permit only the traffic required by your router, from trusted devices. Maybe a term for BGP that only allows some addresses. Maybe another term for SNMP, and so on. 

     

     



  • 4.  RE: Juniper firewall filter config help required

     
    Posted 03-11-2019 23:30

    Sample config, tweak it based on your requirement. To know what is expected in your box, run the command "show ddos-protection protocols statistics terse", which will give you an idea of the existing control traffic towards the box

     

            filter RE_Protect {

                term SSH_HTTPS {

                    from {

                        source-prefix-list {

                            Infra;

                        }

                        protocol tcp;

                        protocol https;

                        port ssh;

                    }

                    then accept;

                }

                term Icmp-Echo-Request {

                    from {

                        source-prefix-list {

                            Infra;

                        }

                        protocol icmp;

                        icmp-type echo-request;

                    }

                    then {

                        policer <custom>_drop;

                        accept;

                    }

                }

                term Icmp-Echo-Reply {

                    from {

                        source-prefix-list {

                            Infra;

                        }

                        protocol icmp;

                        icmp-type echo-reply;

                    }

                    then {

                        policer <custom>_drop;

                        accept;

                    }

                }

    term Permit_Rsvp

    term Permit_Ldp

    term Permit_Bgp

    term Permit_Ospf

    term Permit_Snmp

    term Permit_Netconf

    term Permit_Dhcp

    term Permit_Vrrp

    term DROP_REST

     



  • 5.  RE: Juniper firewall filter config help required

    Posted 03-13-2019 13:32

    Thanks Nellikka , Yasmine and Python for the help . Really Appreciate it