Junos OS

Expand all | Collapse all

Firewall for BGP and SSH, what went wrong?

Jump to Best Answer
  • 1.  Firewall for BGP and SSH, what went wrong?

    Posted 08-25-2020 09:22

    So, today when I implemented the firewall filter below, I was locked out from the device completly.

     

    set firewall family inet filter filter_bgp179 term 1 from source-address HIDDEN/32

    set firewall family inet filter filter_bgp179 term 1 from source-address HIDDEN/32

    set firewall family inet filter filter_bgp179 term 1 from destination-port bgp

    set firewall family inet filter filter_bgp179 term 1 then accept

    set firewall family inet filter filter_bgp179 term 2 then reject


    set interfaces lo0 unit 1 family inet filter input filter_bgp179

     

    The above comes from https://www.juniper.net/documentation/en_US/junos/topics/topic-map/bgp-tcp-sessions.html 

     

    Did a commit check and all was fine, commited it and then I lost connection to the device. Why? I'm connected with SSH to the device, and the filter is only for the bgp port.

     

    Do I need to do the SSH filter before to allow our traffic because of the reject in term 2? But that filter is bgp only?

     

    Searched and found this on the forum: https://forums.juniper.net/t5/Junos/Filter-SSH-access-in-interfaces-and-BGP-neighbors/m-p/268655

     

    Is the above way better then the first solution that I posted?



  • 2.  RE: Firewall for BGP and SSH, what went wrong?

    Posted 08-25-2020 10:29

    Hello Tideman

     

    I understand you applied the firewall in the loopback, correct? 

     

    With that firewall you are only going to accept bgp only and will reject the rest of the traffic going up to the RE.

     

    Regards,



  • 3.  RE: Firewall for BGP and SSH, what went wrong?
    Best Answer

    Posted 08-25-2020 10:43

    Hi,

     

    When you apply a filter to the loopback policy it will be applied logically to all the interfaces. So, you need to have a default accept policy to accept the rest of the traffic.

     

    As per your configuration, once you remove the term 2 reject, it will work.



  • 4.  RE: Firewall for BGP and SSH, what went wrong?

    Posted 08-25-2020 22:06

    Yeah, that was what I thought also that I did it in the wrong order. ^^



  • 5.  RE: Firewall for BGP and SSH, what went wrong?

    Posted 08-26-2020 00:37

    A quick update, once I removed the term 2 and checked it was still unaccessible. Even thou I have a SSH filter applied before that was working.

     

    Once I entered the BGP filter I lost connection to the device.



  • 6.  RE: Firewall for BGP and SSH, what went wrong?

    Posted 08-26-2020 01:02

    Hello Tideman,

     

    Can you share your entire firewall filter configuration?

     

    user@host> show configuration firewall | display set

    user@host> show configuration interfaces | display set | match filter