So, today when I implemented the firewall filter below, I was locked out from the device completly.
set firewall family inet filter filter_bgp179 term 1 from source-address HIDDEN/32
set firewall family inet filter filter_bgp179 term 1 from destination-port bgp
set firewall family inet filter filter_bgp179 term 1 then accept
set firewall family inet filter filter_bgp179 term 2 then reject
set interfaces lo0 unit 1 family inet filter input filter_bgp179
The above comes from https://www.juniper.net/documentation/en_US/junos/topics/topic-map/bgp-tcp-sessions.html
Did a commit check and all was fine, commited it and then I lost connection to the device. Why? I'm connected with SSH to the device, and the filter is only for the bgp port.
Do I need to do the SSH filter before to allow our traffic because of the reject in term 2? But that filter is bgp only?
Searched and found this on the forum: https://forums.juniper.net/t5/Junos/Filter-SSH-access-in-interfaces-and-BGP-neighbors/m-p/268655
Is the above way better then the first solution that I posted?
I understand you applied the firewall in the loopback, correct?
With that firewall you are only going to accept bgp only and will reject the rest of the traffic going up to the RE.
When you apply a filter to the loopback policy it will be applied logically to all the interfaces. So, you need to have a default accept policy to accept the rest of the traffic.
As per your configuration, once you remove the term 2 reject, it will work.
Yeah, that was what I thought also that I did it in the wrong order. ^^
A quick update, once I removed the term 2 and checked it was still unaccessible. Even thou I have a SSH filter applied before that was working.
Once I entered the BGP filter I lost connection to the device.
Can you share your entire firewall filter configuration?
user@host> show configuration firewall | display set
user@host> show configuration interfaces | display set | match filter