Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Firewall filter "except" doubt

  • 1.  Firewall filter "except" doubt

    Posted 08-27-2021 14:06
    Hi,

    I have a MX router connecting to two ISPs, I want to implement a simple inbound filter on the uplink interfaces to block BGP connection attempts except configured ISP peers, I have the following configuration:

    set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
    set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers except
    set firewall family inet filter allow_inbound term bgp from port bgp
    set firewall family inet filter allow_inbound term bgp then reject

    The above configuration seems to be reasonable, but it is not working, i.e, it does not block unwanted BGP connection attempts, anything wrong?

    John

    ------------------------------
    John Gerro
    ------------------------------


  • 2.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 05:45
    Hi John,

    try adding the protocol. 

    set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
    set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers except
    set firewall family inet filter allow_inbound term bgp from port bgp
    set firewall family inet filter allow_inbound term bgp from protocol tcp
    set firewall family inet filter allow_inbound term bgp then reject

    the apply should work, additional to all this, when blocking the best practice is to specify what you want in, then add a reject.

    You might be interested in reading a day one about securing the routing engine, 

    https://grumbl.org/juniperdayone/Securing_RouteEngine2.pdf

    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 3.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 10:58
    Hi John,

    I think you should remove the except keyword.

    According to the policy:

    admin@R1# set firewall family inet filter in-filter term bgp from source-prefix-list bgp-neighbors ?
    Possible completions:
    <[Enter]> Execute this command
    except Match addresses not in this prefix list
    | Pipe through a command
    [edit]

    Since you are already configuring the neighbor, it looks reasonable that you want to permit the addresses that are in the prefix list (by neighbor configuration), not the ones who aren't.

    Thanks

    ------------------------------
    MURILO BRANTEGANI GRIZI
    ------------------------------



  • 4.  RE: Firewall filter "except" doubt

    Posted 08-29-2021 19:50

    I have run into the same issue, and in my case the fix turned out to be to ensure I have a term that matches "any" source address whenever I use a term  matching a source addess (or prefix-list) with the  "except" modifier.  In other words,

    set firewall family inet filter allow_inbound term bgp from source-address 0.0.0.0/0
    set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers except

    -Stephen



    ------------------------------
    STEPHEN TROVATO
    ------------------------------



  • 5.  RE: Firewall filter "except" doubt

     
    Posted 09-09-2021 19:20
    this is late, but l would configure 2 terms in the firewall, one accepting/allowing what is in the prefix list and and another term  denying anything that is NOT in the prefix list! The keyword except throws me off :( and that's why l would do it this way.

    //allow only what is in the prefix list//
    set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
    set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers
    set firewall family inet filter allow_inbound term bgp from protocol tcp
    set firewall family inet filter allow_inbound term bgp from port bgp
    set firewall family inet filter allow_inbound term bgp then accept

    //deny all tcp traffic on bgp port that is NOT in the prefix list//
    set firewall family inet filter allow_inbound term discard-bgp from protocol tcp
    set firewall family inet filter allow_inbound term discard-bgp from port bgp
    set firewall family inet filter allow_inbound term discard-bgp then discard


    ****term discard-bgp must be applied below term bgp******

    ------------------------------
    Epa-
    ------------------------------



  • 6.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 11:12
    Murilo,

    See that the filter is to reject not to accept. ergo the logic of the filter is solid.

    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 7.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 11:43
    True, Gabriel.

    Then my question is if there is an ending "permit" term.  According to https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

    "

    When a firewall filter consists of more than one term, the firewall filter is evaluated sequentially:

    1. The packet is evaluated against the conditions in the from statement in the first term.

    2. If the packet matches all the conditions in the term, the action in the then statement is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.

    3. If the packet does not match all the conditions in the term, the packet is evaluated against the conditions in the from statement in the second term.

      This process continues until either the packet matches the conditions in the from statement in one of the subsequent terms or there are no more terms in the filter.

               4. If a packet passes through all the terms in the filter without a match, the packet is discarded"



    I understand that, since this is an except, it is not matching the packets from the peers, and thus, reaching an implicit discard.

    A simple test would be to add a term 'last' "then accept"

    Responding fast so not sure my logic is solid, feel free to review.



    ------------------------------
    MURILO BRANTEGANI GRIZI
    ------------------------------