Junos OS

Expand all | Collapse all

Is there any issue with junos inet6 firewall?

  • 1.  Is there any issue with junos inet6 firewall?

    Posted 10-17-2020 10:57

    Hello,
    We trying to configure firewall for inet6 but it seems dropping legit traffic.
    So wondering if there is any issue with junos inet6?

    Ex series Junos: 15.1R6.7

    Thanks



  • 2.  Betreff: Is there any issue with junos inet6 firewall?

     
    Posted 10-17-2020 11:06

    Hello fiber9,

     

    to answer this question, it is absolutely necessary that you paste the corresponding config, which includes firewall filter and interface config. Additionally, please tell us more details what exactly happens, source/destination IP, which kind of traffic is dropped and should not be dropped, where is it dropped ...



  • 3.  Betreff: Is there any issue with junos inet6 firewall?

    Posted 26 days ago

    Created filter for ipv4 and ipv6 on ex4200.  This works fine on ex4300 running Junos 18.x or 19.x

    but on ex4200 running 15.x does not work. So is this junos issue or I am doing wrong?

     

    I enable ipv6 bgp established then interface ipv6 traffic drops.

    set interfaces lo0 unit 0 family inet6 filter input ipv6filter
    set interfaces lo0 unit 0 family inet6 address xxxxxx::1/64
    set firewall filter inet6 filter ipv6filter term BGP from source-prefix-list EBGP-ROUTERS
    set firewall filter inet6 filter ipv6filter term BGP from payload-protocol tcp
    set firewall filter inet6 filter ipv6filter term BGP from port 179
    set firewall filter inet6 filter ipv6filter term BGP then accept
    set firewall family inet6 filter ipv6filter term ICMP from next-header icmp6
    set firewall family inet6 filter ipv6filter term ICMP from icmp-type echo-request
    set firewall family inet6 filter ipv6filter term ICMP from icmp-type echo-reply
    set firewall family inet6 filter ipv6filter term ICMP then accept
    set firewall family inet6 filter ipv6filter term OTHER then discard

     

     



  • 4.  Betreff: Is there any issue with junos inet6 firewall?

     
    Posted 26 days ago

    Hi,

     

    two things:

     

    - I seem to remember that payload-protocol in the BGP term is a HW depended match condition. Have you tried using next-header like in the ICMP term?

     

    - "set firewall filter inet6 ..." would not create a family inet6 filter, but a filter called inet6 but the following keyword "filter" is afaik not valid syntax. Can you please do a "show conf firewall family inet6 filter ipv6filter"?

     

    Regards

    Ulf



  • 5.  Betreff: Is there any issue with junos inet6 firewall?

    Posted 24 days ago

    Ok stripped the config to make it work. If I enable this lo0 then ipv6 assigned to interface stop working.

    show configuration firewall family inet6 filter ipv6filter
    term BGP_IN {
    from {
    source-prefix-list {
    EBGP-ROUTERS;
    }
    next-header tcp;
    destination-port bgp;
    }
    then accept;
    }
    }
    term OTHER {
    then discard;
    }



  • 6.  Betreff: Is there any issue with junos inet6 firewall?

     
    Posted 23 days ago

    Hi,

     

    1. can you please elaborate on "then ipv6 assigned to interface stop working"?

    2. with "destination-port bgp" only BGP sessions initiated from the peer would work but not the ones initated from the DUT (DUT would send dst-port=bgp, src-port=<random> so peer would reply with dst-port=<random, unlikely to be BGP>, src-port=BGP

    3. an (input) firewall filter assigned to lo0 acts on all traffic from the forwarding plane to the control plane, so in it's current form it'll interfere with pings, NeighborDiscovery etc. You might want to check details on Hardening Junos Devices 

     

    Regards

    Ulf