Routing

Expand all | Collapse all

Firewall filter questions

Jump to Best Answer
  • 1.  Firewall filter questions

    Posted 01-25-2021 23:11
    I have the following topology.

    When filter is applied as input,  traffic from all the sources can reach the destination. So it looks to me the filter works as stateful,  as no destination matches the returned traffic.
    But after I changed input to be output, I have to add all the sources to the destinations too. It works in stateless way.

    What do I miss here ?

    thanks for coaching !!



  • 2.  RE: Firewall filter questions

     
    Posted 01-25-2021 23:23
    Firewall filters are  always  stateless!  

    Do you have the two networks configured in the same irb interface? 

    Regards, 


    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 3.  RE: Firewall filter questions

    Posted 01-25-2021 23:28
    set interfaces irb unit 181 family inet filter input ACL
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 virtual-address 150.152.48.104
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 priority 110
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 preempt
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 accept-data
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 track interface xe-0/0/2 priority-cost 40

    This is the irb interface configuration

    thanks !!


  • 4.  RE: Firewall filter questions

    Posted 01-25-2021 23:31
    The returned packet (in Red) does not look to match any allowing filter to me.

    What do I miss here ?

    thanks !!


  • 5.  RE: Firewall filter questions

    Posted 01-25-2021 23:34
    Sorry for my previous confusing diagram.  I have updated it.

    thanks !!


  • 6.  RE: Firewall filter questions
    Best Answer

     
    Posted 01-26-2021 17:05
    Look at it this way: 

    If you apply the filter inbound on irb.181, you have a filter in the direction of traffic A => B that only allows traffic with a combination of ALLOWED SOURCES/ALLOWED DESTINATION.  

    There is no filter in the direction of traffic B=> A;  Thus any source or destination is allowed B=>A (there is nothing  blocking the way).  


    If you apply the filter outbound on irb.181, you have a filter in the direction of traffic B => A that only allows traffic with a combination of ALLOWED SOURCES/ALLOWED DESTINATION.  

    There is no filter in the direction of traffic A=> B;  Thus any source or destination is allowed A=>B (there is nothing  blocking the way).  

    In neither case there is any stateful behavior. Each packet is processed independently, the router does NOT keep track of any flows, or anything like that.  Simply, you have NO filter applied in the opposite direction. 

    HTH

    Regards, 


    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 7.  RE: Firewall filter questions

    Posted 01-26-2021 19:10
    thanks so so so so much for your explanation in such a depth way.  I save this in my study notes.

    So if you want to filter inbound and outbound, I have to apply to both inbound and outbound filters, right ?


  • 8.  RE: Firewall filter questions

    Posted 01-26-2021 19:30
    -------------------------------------------
    Original Message:
    Sent: 01-26-2021 19:09
    From: Unknown User
    Subject: Firewall filter questions

    thanks so so so so much for your explanation in such a depth way.  I save this in my study notes.

    So if you want to filter inbound and outbound, I have to apply to both inbound and outbound filters, right ?
    Original Message:
    Sent: 01-26-2021 17:05
    From: Yasmin Lara
    Subject: Firewall filter questions

    Look at it this way: