Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Firewall filter questions

    Posted 01-25-2021 23:11
    I have the following topology.

    When filter is applied as input,  traffic from all the sources can reach the destination. So it looks to me the filter works as stateful,  as no destination matches the returned traffic.
    But after I changed input to be output, I have to add all the sources to the destinations too. It works in stateless way.

    What do I miss here ?

    thanks for coaching !!



  • 2.  RE: Firewall filter questions

    Posted 01-25-2021 23:23
    Firewall filters are  always  stateless!  

    Do you have the two networks configured in the same irb interface? 

    Regards, 



  • 3.  RE: Firewall filter questions

    Posted 01-25-2021 23:28
    set interfaces irb unit 181 family inet filter input ACL
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 virtual-address 150.152.48.104
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 priority 110
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 preempt
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 accept-data
    set interfaces irb unit 181 family inet address 150.152.48.105/27 vrrp-group 51 track interface xe-0/0/2 priority-cost 40

    This is the irb interface configuration

    thanks !!


  • 4.  RE: Firewall filter questions

    Posted 01-25-2021 23:31
    The returned packet (in Red) does not look to match any allowing filter to me.

    What do I miss here ?

    thanks !!


  • 5.  RE: Firewall filter questions

    Posted 01-25-2021 23:34
    Sorry for my previous confusing diagram.  I have updated it.

    thanks !!


  • 6.  RE: Firewall filter questions
    Best Answer

    Posted 01-26-2021 17:05
    Look at it this way: 

    If you apply the filter inbound on irb.181, you have a filter in the direction of traffic A => B that only allows traffic with a combination of ALLOWED SOURCES/ALLOWED DESTINATION.  

    There is no filter in the direction of traffic B=> A;  Thus any source or destination is allowed B=>A (there is nothing  blocking the way).  


    If you apply the filter outbound on irb.181, you have a filter in the direction of traffic B => A that only allows traffic with a combination of ALLOWED SOURCES/ALLOWED DESTINATION.  

    There is no filter in the direction of traffic A=> B;  Thus any source or destination is allowed A=>B (there is nothing  blocking the way).  

    In neither case there is any stateful behavior. Each packet is processed independently, the router does NOT keep track of any flows, or anything like that.  Simply, you have NO filter applied in the opposite direction. 

    HTH

    Regards, 



  • 7.  RE: Firewall filter questions

    Posted 01-26-2021 19:10
    thanks so so so so much for your explanation in such a depth way.  I save this in my study notes.

    So if you want to filter inbound and outbound, I have to apply to both inbound and outbound filters, right ?


  • 8.  RE: Firewall filter questions

    Posted 01-26-2021 19:30

    That's right, If you want to filter inbound and outbound you need to apply the filter in both directions.