Junos OS

Expand all | Collapse all

Firewall Filters

Jump to Best Answer
  • 1.  Firewall Filters

    Posted 02-22-2015 22:30

    Given the configuration shown in the exhibit, what will happen to traffic from source 10.10.10.25 destined to 200.200.200.1?

     

    user@router> show configuration firewall

    family inet {

    filter demo {

    term example {

    from {

    source-address {

    100.100.100.0/24;

    }

    destination-address {

    200.200.200.0/24;

    }

    }

    then {

    reject;

    }

    }

    term testing {

    from {

    source-address {

    10.10.10.0/28;

    }

    destination-address {

    200.200.200.0/24;

    }

    }

    then sample;

    }

    term results {

    from {

    address {

    200.200.200.0/24;

    }

    }

    then accept;

    }

    term final {

    then policer LAPD;

    }

    }

    }

     

    1. The traffic will be rejected.
    2. The traffic will be dropped.
    3. The traffic will be forwarded.
    4. The traffic will be policed.

    Is the correct answer 4? 



  • 2.  RE: Firewall Filters

     
    Posted 02-22-2015 23:21

    It will be accepted because it will match this term:

     

    term results {

    from {

    address {

    200.200.200.0/24;

    }

    }

    then accept;

     

    'address' match condition can be either source or destination:

     

    [edit]
    lab@mx240-re0# set firewall family inet filter F term 1 from ?
    Possible completions:
    > address              Match IP source or destination address




    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 3.  RE: Firewall Filters

    Posted 02-22-2015 23:46

    Correct me if I am wrong as the traffic is from source 10.10.10.25 destined to 200.200.200.1
    I felt the statement below should be (see in red) in order to match the condition, 

     

    term results {

    from {

    address {

    10.10.10.0/24;

    }

    }

    then accept;

     

    If 'address' match condition can be either source or destination, what is the different between the term result from address 10.10.10.0/24 and term result from 200.200.200.0/24?

     

     

    term results {

    from {

    address {

    200.200.200.0/24;

    }

    }

    then accept;

     

     

     

     

     



  • 4.  RE: Firewall Filters
    Best Answer

     
    Posted 02-22-2015 23:52

    I don't see the term you are mentioning in the initial post:

     

    user@router> show configuration firewall

    family inet {

    filter demo {

    term example {

    from {

    source-address {

    100.100.100.0/24;

    }

    destination-address {

    200.200.200.0/24;

    }

    }

    then {

    reject;

    }

    }

    term testing {

    from {

    source-address {

    10.10.10.0/28;

    }

    destination-address {

    200.200.200.0/24;

    }

    }

    then sample;

    }

    term results {

    from {

    address {

    200.200.200.0/24;

    }

    }

    then accept;

    }

    term final {

    then policer LAPD;

    }

    }

    }


    The term mentioned by me as being correct says something like "if the source or destination fails in the range 200.200.200.0/24, then accept the packet'. It would have been the same thing if instead of 200.200.200.0/24, you would had 10.10.10.0/24.

     



    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 5.  RE: Firewall Filters

    Posted 04-15-2019 21:00

    thanks for reply.  i really appreciate it if you could explain a bit here firewall policy.  when i read in Juniper guide it means that we have to match source IP , if not matched packet keeps going to next policy until it default. 

     

    source IP host 10.10.10.25 is not part of firewall policy at all since /28 would not include it in question. so  are you basing results to allow packet based on destination address only here?   

     

    does not router also look at source IP host and compare it with this pollicy given? 



  • 6.  RE: Firewall Filters

     
    Posted 04-16-2019 05:03

    Hello Ziadawsome,

     

    Answering your question, you can match packets in a firewall filter based either on source or on destination address, or on either of them. If there is no match, the packet will be dropped by the implicit deny term at the end of the filter.

     

    This is a very old thread and it would be great if you could create a new thread for your question, and elaborate it a bit - it's not quite clear what you're asking about.

     

    Best regards,

    Sergii