Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Firewall filter not working as intended

Jump to Best Answer
  • 1.  Firewall filter not working as intended

    Posted 12-12-2016 12:52

    Hello all.....somewhat new to Junos and definitly w firewall filters. I want to achieve a couple basic things in regards to an isolated vlan\subnet I have here.

     

    One is.... in term 1... allow dns, dhcp, ntp, ldap, http\s etc for the devices living on the vlan 2222

     

    Second is, allow only my station (located on another vlan) to be able to ping and ssh to devices on said vlan.

     

    Then...reject everything else.

     

    The filter is created on a 4300 building "core" switch...the subsequent "access" switches (ex3300s) are trunked off of that. All is well conectivity-wise. When I apply the filter (inbound) to the irb interface on the 4300, I can not ssh or ping the devices that live on valn 2222.

     

    I've done quite a bit a googleing and testing, to no avail-- it should not be this hard! Can somebody enlighten me to what I'm doing wrong. Do I need to write terms for the return traffic as well since this is stateless ?? Below is my filter.

     

    Appreciate any help

     

    root@Upper_School_Core# run show configuration firewall
    family inet {
    filter FROMG33LAB {
    term 1 {
    from {
    destination-port [ domain http https ntp ldap dhcp ];
    }
    then accept;
    }


    term 2 {
    from {
    source-address {
    10.2.12.60/32;
    }
    protocol tcp;
    destination-port ssh;
    }
    then accept;
    }


    term 3 {
    from {
    source-address {
    10.2.12.60/32;
    }
    icmp-type [ echo-reply echo-request ];
    }
    then accept;
    }


    term 20 {
    then {
    reject;
    }
    }

     

    apply filter********

     

    set interfaces irb unit 2222 family inet filter input FROMG33LAB


    #firewallfilterjunosvlanirbinput


  • 2.  RE: Firewall filter not working as intended

    Posted 12-20-2016 20:34

    Hi, you can probably try few more things here:

     

    1. I hope the workstation from where you are doing ping and ssh are in different vlan, then only it will hit irb interface for inter-vlan routing. If it is in the same vlan 2222, then it will not hit irb.

     

    2. In your firewall filter, you can probably change the order of terms for example term 3 > term 2 > term 1 > term 20. Ideally it should still work in the order you have specified.

     

    3. You can also add action to count the packets in each term to confirm if the specific filter term is getting hit or not.

     

    Hope this helps.



  • 3.  RE: Firewall filter not working as intended
    Best Answer

    Posted 03-23-2017 07:46

    I solved this by appling the filter to the Lo interface- which affects traffic destine for the routing engine on that switch - so this worked for me since it was restricting access to switch management I was going for. Also used a prefix list for the source - which is handy. Here's the final filter 

     

    prefix-list MANAGEMENT {
    10.1.2.0/24;
    10.2.12.60/32;

    filter HTTPS-SSH {
    term 1 {
    from {
    source-prefix-list {
    MANAGEMENT;
    }
    }
    then accept;
    }
    term 2 {
    from {
    destination-port https;
    }
    then {
    discard;
    }
    }
    term 3 {
    from {
    destination-port ssh;
    }
    then {
    discard;
    }
    }
    term 4 {
    then accept;
    }

     

    set interfaces lo0 unit 0 family inet filter input HTTPS-SSH 



  • 4.  RE: Firewall filter not working as intended

     
    Posted 03-23-2017 17:16

    For a fuller discussion on customizing and creating a protect-re filter see these free Day One publications.

     

    This Week: Hardening Junos Devices

    http://forums.juniper.net/t5/Day-One-Books/NEW-This-Week-Hardening-Junos-Devices-Second-Edition/ba-p/117366

     

    Day One Book: Securing the Routing Engine on M, MX, and T Series

    http://forums.juniper.net/t5/Day-One-Books/Day-One-Book-Securing-the-Routing-Engine-on-M-MX-and-T-Series/ba-p/92276