Junos OS

Expand all | Collapse all

Management ACL

Jump to Best Answer
  • 1.  Management ACL

    Posted 08-21-2019 05:25

    Hey Guys,

     

    I am having a little issue restricting managment traffic. This if for a MX104 Software version 13.3R9.13. Here is a snippet of my ACL config attached to the loopback interface. 

     

    set interfaces lo0 unit 0 family inet filter input MGMT

    set policy-options prefix-list MGMT_Net x.x.x.x24
    set policy-options prefix-list MGMT_Net x.x.x.x/24

    set firewall family inet filter MGMT term T1 from source-prefix-list MGMT_Net except
    set firewall family inet filter MGMT term T1 from destination-port ssh
    set firewall family inet filter MGMT term T1 from destination-port https
    set firewall family inet filter MGMT term T1 from destination-port telnet
    set firewall family inet filter MGMT term T1 from destination-port http
    set firewall family inet filter MGMT term T1 then discard
    set firewall family inet filter MGMT term accept_everything_else then accept

     

     

    I am new to Juniper (long time cisco guy), so forgive my ignorance.

     

    Thanks,

     

    Matt



  • 2.  RE: Management ACL
    Best Answer

     
    Posted 08-21-2019 06:00

    Hi Matt,

     

    When using the term except, I think a wider set has to be defined out of which you except a smaller subset.

     

    Please try the below config and let me know if it works.

    set interfaces lo0 unit 0 family inet filter input MGMT

    set firewall family inet filter MGMT term T1 from source-address x.x.x.x/24 except

    set firewall family inet filter MGMT term T1 from source-address x.x.x.x/24 except

    set firewall family inet filter MGMT term T1 from source-address 0.0.0.0/0
    set firewall family inet filter MGMT term T1 from destination-port ssh
    set firewall family inet filter MGMT term T1 from destination-port https
    set firewall family inet filter MGMT term T1 from destination-port telnet
    set firewall family inet filter MGMT term T1 from destination-port http
    set firewall family inet filter MGMT term T1 then discard
    set firewall family inet filter MGMT term accept_everything_else then accept

     

    Instead of prefix-list, try adding both the subnets individually to the filter.

     

    Thanks and Regards,

    Pradeep Kumar.



  • 3.  RE: Management ACL

    Posted 08-21-2019 06:22

    Thank you so much for your reply. Adding the following seems to have done the trick.

     

    set firewall family inet filter MGMT term T1 from source-address 0.0.0.0/0

     

    I was able to keep the prefix list though. I like the idea of modifying a prefix list versus the filter directly. Do you mind elaborating a little bit, because my understanding of the except keyword was to basically invert whatever IP you pass to it.

     

    Thanks Again,

     

    Matt



  • 4.  RE: Management ACL

     
    Posted 08-21-2019 09:02

    Hi Matt,

     

    As you have already tried, it works with prefix list as well. Suggested to try source-address instead of prefix-list to help understand better. Also your understanding of the keyword except is also correct just that you also should define the address set from which you would like to invert the selection of IP's.

     

    Please read through the examples at https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-match-conditions-address-fields.html#jd0e218 for further understanding. When you just mention the prefix-list, all other addresses implicitly do not match this condition.

     

    Instead of using except and discard in combination, the below config serves the same purpose.

     

    set interfaces lo0 unit 0 family inet filter input MGMT

    set policy-options prefix-list MGMT_Net x.x.x.x24
    set policy-options prefix-list MGMT_Net x.x.x.x/24

    set firewall family inet filter MGMT term T1 from source-prefix-list MGMT_Net

    set firewall family inet filter MGMT term T1 then accept
    set firewall family inet filter MGMT term T2 from destination-port ssh
    set firewall family inet filter MGMT term T2 from destination-port https
    set firewall family inet filter MGMT term T2 from destination-port telnet
    set firewall family inet filter MGMT term T2 from destination-port http

    set firewall family inet filter MGMT term T2 then discard
    set firewall family inet filter MGMT term accept_everything_else then accept

     

    T1 -> Allows all traffic for the selected prefix list, for the rest of the IP's T2 will block the ports mentioned and accept_everything_else accepts rest of the traffic for all the IP's.

     

    Thanks,
    Pradeep
    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!



  • 5.  RE: Management ACL

     
    Posted 08-21-2019 11:06

    Hi! 

     

         Can you please confirm that the prefexes MGMT_Net contains set of IPs that you want to allow or restrict ?? 

     

         What you have configured should basically allow hosts in MGMT_Net to do ssh,telnet,http, https to the MX104. And should restrict others.

     

    Here is an example for the same for same (example is to allow bgp port 179 traffic) : https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-prefix-list.html

     

         If you want to restrict traffic from MGMT_Net then just remove "except" and you will start restricting traffic from MGMT_Net.

     

    Regards

    Arpit