Routing

Expand all | Collapse all

QFX5100 - firewall filter

Jump to Best Answer
  • 1.  QFX5100 - firewall filter

    Posted 01-15-2020 07:27

    Hello,

     

    I am testing a simple ICMP firewall filter on a qfx5100-48s-6q and cannot commit after I apply the filter on a layer2 interface. The commit works however after I apply it on a layer 3 interface.

     

    interfaces {
    ge-0/0/0 {
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members TEST;

     

    firewall {
    family inet {
    filter RA-FILTER {
    term SSH {
    from {
    source-address {
    69.54.49.182/32;
    }
    protocol tcp;
    destination-port ssh;
    }
    then {
    count allow.ssh;
    accept;
    }
    }
    }
    filter ICMP-FILTER {
    term ICMP {
    from {
    source-address {
    192.168.99.50/32;
    }
    }
    then accept;
    }
    term ICMP-BLOCK {
    from {
    protocol icmp;
    }
    then {
    discard;
    }
    }
    term ALLOW {
    then accept;

     

    atetu@emp-cle.qfx5100-1#set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input ICMP-FILTER

    atetu@emp-cle.qfx5100-1# commit
    [edit interfaces ge-0/0/0 unit 0 family ethernet-switching]
    'filter'
    Referenced filter 'ICMP-FILTER' is not defined
    error: configuration check-out failed

     

    ge-0/0/10 {
    unit 0 {
    family inet {
    address 10.10.200.254/24

     

    atetu@emp-cle.qfx5100-1# ...erfaces ge-0/0/10 unit 0 family inet filter input ?
    Possible completions:
    ICMP-FILTER [firewall family inet filter]    ---- this don't show above on the Ge0/0/0 layer2 interface
    RA-FILTER [firewall family inet filter]   -------- this don't show above on the Ge0/0/0 layer2 interface

     

     

    Thanks,

    -Adrian



  • 2.  RE: QFX5100 - firewall filter

    Posted 01-15-2020 07:54

    this error because you configure filter in family inet and trying to apply to family ethernet-switching ... 

     



  • 3.  RE: QFX5100 - firewall filter

    Posted 01-15-2020 08:32

    Thank you for the quick reply Akushner!

     

    That was a silly error on my part as I am still getting used to the Junos architecture coming from Cisco.  This QFX5100 will act as a core router and it will have several DIA connections. Is it recommended to restrict SSH access on every active Layer3 interface? Is there a way to restrict ssh or other ingress traffic globally?  

     

    Thanks,

    -Adrian 

     

     



  • 4.  RE: QFX5100 - firewall filter
    Best Answer

     
    Posted 01-15-2020 17:00

    For global self traffic restrictions apply the firewall filter to the loopback interface.  This will then apply to anything with a destination of the Junos device.

     

    Check out the free Day One book Hardening Junos Devices for the details on recommend re filters and other tips with a checklist.

     

    https://forums.juniper.net/t5/Day-One-Books/NEW-This-Week-Hardening-Junos-Devices-Second-Edition/ba-p/117366

     



  • 5.  RE: QFX5100 - firewall filter

    Posted 01-16-2020 08:15

    Thank you for the links sir! The word doc is fantanstic and exactly what I was hoping to find.

     

    Regards,

    -AT