Junos OS

Expand all | Collapse all

Firewall Filter logging on Lo0

Jump to Best Answer
  • 1.  Firewall Filter logging on Lo0

    Posted 02-20-2020 15:47

    Hi, I'm playing with firewall filters, and I've applied a simple filter to lo0.

    The purpose of the filter is to block SSH from all sources, except the ones I explicitly allow. It is applied to lo0 to filter traffic to the RE.

     

    Is there a way I can see hits on this filter?

    I have tried configuring 'log' and 'count', but this is apparently not supported on a loopback. At least not on the EX2200 that I'm testing with.

     

    Is there another way to achieve this?

     

    Thanks



  • 2.  RE: Firewall Filter logging on Lo0
    Best Answer

     
    Posted 02-20-2020 17:19

    HI Luke Robertson,

     

    Greetings, I am afraid that  we don't have too many options as this is a very low-end device

     

    The options are Syslog, analyzer, count, and log and using all of them will give you this error message:

     

    edit interfaces lo0 unit 0 family inet]
    'filter'
    Referenced filter 'test' can not be used as Syslog not supported on the ingress loopback interface
    error: configuration check-out failed 

     

    Referenced filter 'test' can not be used as analyzer not supported on the ingress loopback interface
    error: configuration check-out failed 

    Referenced filter 'test' can not be used as count not supported on the ingress loopback interface
    error: configuration check-out failed 

    Referenced filter 'test' can not be used as log not supported on the ingress loopback interface
    error: configuration check-out failed 

     

    Regards,
    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

     



  • 3.  RE: Firewall Filter logging on Lo0

    Posted 02-20-2020 18:05

    I suspected that might be the case. Unfortunately, it's all I have to work with in my lab right now.

    Just glad my understanding is right, it's just the hardware.

     

    Thanks for your help!



  • 4.  RE: Firewall Filter logging on Lo0

    Posted 02-20-2020 17:23

    Hi Luke,

    I hope you are doing great!

    Not sure if you are using a management VLAN if that is the case you can do the following


    {master:0}[edit firewall family ethernet-switching filter ssh]
    root@m14-43# show | display set
    set firewall family ethernet-switching filter ssh term 1 from destination-port ssh
    set firewall family ethernet-switching filter ssh term 1 then count ssh-block

    {master:0}[edit vlans mgmt]
    root@m14-43# show | display set
    set vlans mgmt vlan-id 501
    set vlans mgmt filter input ssh

    {master:0}[edit]
    root@m14-43# commit check
    configuration check succeeds

    {master:0}[edit]
    root@m14-43#

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too 😄

    Warm regards,
    Pablo Restrepo -



  • 5.  RE: Firewall Filter logging on Lo0

    Posted 02-20-2020 18:06

    Thanks Pablo, this also looks like a good option.

     

    Aside from platform limitations, is there any advantage/disadvantage to filtering at the management VLAN as opposed to filtering at the RE (Lo0)?