Routing

I necro'd a thread https://forums.juniper.net/t5/Routing/IPv6-RE-filter-not-working/m-p/463405#M19729 and was requested that I create my own and link to it.  I have an MX104 that is having issues with locking down the SSH port.  In that thread they recommend trying to change the payload-protocol to next-header in the firewall due to the age of the JUNOS.  I am working on getting that done now.

And that worked!  Thanks Sergei!

Hello Theredon,

 

Glad to hear that your issue is resolved. Could you please mark this post as the accepted solution, as it would help other community members to find solution faster if they face the same issue?

The problem:

I'm having a similar issue with an MX104 and no matter what I do with the inet6 filter, it will allow SSH connections from any host.  I'm running similar code to the OP Junos: 13.3R8.7. and my firewall appears similar to theirs as well but nothing done has been able to secure SSH or Telnet Session's to the router, even setting the term to straight discard anything destined for the SSH port.

family inet6 {
filter ROUTER-PROTECT-v6 {
term SSH {
from {
source-address {
::/0;
2604:1300:3700:ff::/64 except;
}
payload-protocol tcp;
destination-port ssh;
}
then {
count manage-discard-tcp;
discard;
}
}
term TELNET {
from {
source-address {
::/0;
2604:1300:3700:ff::/64 except;
}
payload-protocol tcp;
destination-port telnet;
}
then {
count manage-discard-tcp;
discard;
}
}

The same setup works fine for IPv4.

And the solution:

As your JUNOS is really old, can you please try replacing payload-protocol with next-header and check if it helps?

Best regards,

Sergii

Well I spoke too soon, that did fix the issue I stated earlier, but has since created another issue, I am now no longer able to ping/traceroute/access ipv6 sites.  Once I pull the firewall from the lo0 interface it works fine.  Here is my entire firewall configuration, for both 4 and 6.  The inet 4 firewall works without issue and I'm just including it for comparison to the 6.

 

https://pastebin.com/ryqmsBiM

Can you please elaborate what exactly isn't working now? Is IPv6 filter with next-header option droping all incoming SSH packets now (and that's why you "lost access")? Regarging ping and traceroute issues, traceroute performed from *nix system by default uses UDP, which will be dropped by your filter. As for the ping, I don't have any theory - our options are quite limited given the fact that your JUNOS is a bit old. Probably you'll have to play with different FF terms, check which term drops your packet and try to find an alternative that works in your release.

 

HTH

 

Best regards,

Sergii

Browsing IPv6 sites past this router on the internet, pinging those sites, or tracerouting to those sites.  It's as if this firewall is blocking all IPv6 traffic going through the router but not to the router.  The original problem I set out to fix, blocking SSH from everything but my IPv6 block, is working now, but no other IPv6 traffic bound for any destination past this router works.

The task of protecting RE against access from other networks is usually accomplished by a firewall filter applied to the loopback interface. Such firewall filter will then be applied only to the traffic destined to the routing engine itself, and transit traffic will not be affected. Please check the following example (thought it's for IPv4, the logic is clear) - Example: Configuring a Filter to Block Telnet and SSH Access. Such approach allows you to keep your RE protection filter separate from other different filters that can be applied to different physical interfaces.

 

Did you apply your firewall filter to the loopback interface, or to physical interfaces? If it's the former, then it sounds like a bug to me - transit traffic shouldn't be affected. If the latter - then it may be expected. You'll have to start with a particular type of traffic that should be forwarded by the router, but is dropped instead, and identify a term with is dropping such packets.

 

HTH

 

Best regards,

Sergii

> show configuration | match ROUTER | display set set interfaces lo0 unit 0 family inet filter input ROUTER-PROTECT set interfaces lo0 unit 0 family inet6 filter input ROUTER-PROTECT-v6 Indeed it is, which is why I was confused that it was blocking traffic through the equipment and not just to the equipment. Maybe it's time to open a support case.

After a bit of tearing apart the list and applying it bit by bit I found the problem. set firewall family inet6 filter ROUTER-PROTECT-v6 term OSPF from source-address ::/0 set firewall family inet6 filter ROUTER-PROTECT-v6 term OSPF from source-prefix-list pl-OSPFRP-v6 except set firewall family inet6 filter ROUTER-PROTECT-v6 term OSPF from next-header ospf set firewall family inet6 filter ROUTER-PROTECT-v6 term OSPF then count manage-discard-ospf set firewall family inet6 filter ROUTER-PROTECT-v6 term OSPF then discard after pulling this I'm able to traceroute, ping, and browse site on the net. I'm guessing it has something to do with the next-header ospf statement, because i tried allowing my entire IPv6 block through and that made no difference. Realistically I don't really need this, so I'm gong to pull it and move on. Thanks for all the help Sergei!

Hello Theredon, You're very welcome! Glad to hear that your issue is resolved, and many thanks for sharing your results with the community! Best regards, Sergii