Junos OS

Expand all | Collapse all

Block outgoing port

Jump to Best Answer
  • 1.  Block outgoing port

    Posted 05-22-2017 00:45

    Hello guys, how to block outgoing port (like from trust to untrust)?

    Example:

    Trust  source-address is 192.168.1.0/24

    Untrust port is: ge0/0/1

     

    Ports to be blocked: TCP ports 139 and 445 and UDP ports 137 and 138

     

    Any help is greatly appreciated.

    Thanks in advance.

     

     



  • 2.  RE: Block outgoing port

    Posted 05-22-2017 13:01

    Hello, JJJCR.

     

    You have mentioned security zones, so I assume this is a SRX devices? Would you please provide a copy of your existing security policies so that we can appropriately make recommendations? The following commands will generate the desired output.

     

    From operational mode: show configuration security 

    From configuration mode: show security

     

    Please reply back with the output. Thanks.

     

    P.S. If you're using the default policy, I've provided the necessary configuration below.

     

    set security policies from-zone trust to-zone untrust policy deny-smb match source-address any destination-address any application junos-smb
    set security policies from-zone trust to-zone untrust policy deny-smb then deny
    set security policies from-zone trust to-zone untrust policy deny-smb then count
    set security policies from-zone trust to-zone untrust policy deny-netbios match source-address any destination-address any application junos-nbds
    set security policies from-zone trust to-zone untrust policy deny-netbios then deny
    set security policies from-zone trust to-zone untrust policy deny-netbios then count
    insert security policies from-zone trust to-zone untrust policy deny-smb before policy default-permit insert security policies from-zone trust to-zone untrust policy deny-netbios before policy default-permit

     

    Also, if you're interested, I identified the appropriate applications by running the following commands.

     

    synackray@lab1>show configuration groups junos-defaults applications application junos-smb
    term t1 protocol tcp destination-port 139;
    term t2 protocol tcp destination-port 445;
    synackray@lab1>show configuration groups junos-defaults applications application junos-nbds
    term t1 protocol udp destination-port 138;
    


  • 3.  RE: Block outgoing port

    Posted 05-22-2017 19:30

    Hi synackray, yes you're right it's an SRX device. SRX 240 H2.

     

    set interfaces ge-0/0/0 unit 0 description "Trust Zone"
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.15.254/24
    set interfaces ge-0/0/1 unit 0 description "DMZ Zone"
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.16.1/24
    set interfaces ge-0/0/2 unit 0 description "Untrust Zone"
    set interfaces ge-0/0/2 unit 0 family inet address 5.5.5.6/27



  • 4.  RE: Block outgoing port
    Best Answer

    Posted 05-23-2017 14:18

    Hello, JJJCR!

     

    Thanks for confirming. 

     

    Would you please provide a copy of your existing security policies so that we can appropriately make recommendations? The following commands will generate the desired output.

     

     

    From operational mode: show configuration security 
    From configuration mode: show security

     

    Please reply back with the output. Thanks.

     

    P.S. If you're using the default policy, I've provided the necessary configuration below.

     

    set security policies from-zone trust to-zone untrust policy deny-smb match source-address any destination-address any application junos-smb
    set security policies from-zone trust to-zone untrust policy deny-smb then deny
    set security policies from-zone trust to-zone untrust policy deny-smb then count
    set security policies from-zone trust to-zone untrust policy deny-netbios match source-address any destination-address any application junos-nbds
    set security policies from-zone trust to-zone untrust policy deny-netbios then deny
    set security policies from-zone trust to-zone untrust policy deny-netbios then count
    insert security policies from-zone trust to-zone untrust policy deny-smb before policy default-permit insert security policies from-zone trust to-zone untrust policy deny-netbios before policy default-permit

     

    Also, if you're interested, I identified the appropriate applications by running the following commands.

     

    synackray@lab1>show configuration groups junos-defaults applications application junos-smb
    term t1 protocol tcp destination-port 139;
    term t2 protocol tcp destination-port 445;
    synackray@lab1>show configuration groups junos-defaults applications application junos-nbds
    term t1 protocol udp destination-port 138;