Junos OS

Expand all | Collapse all

lo0 firewall filter not blocking SSH

Jump to Best Answer
  • 1.  lo0 firewall filter not blocking SSH

    Posted 01-27-2020 08:58

    Hi,

     

    I am seeing SSH attempts to log into my router; these can be seen under 'show log messages'

    I have the following configured on my firewall filter:

     

    set firewall family inet filter protect-loopback term SSH-ALLOWED from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term SSH-ALLOWED from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term SSH-ALLOWED from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term SSH-ALLOWED from protocol tcp
    set firewall family inet filter protect-loopback term SSH-ALLOWED from destination-port ssh
    set firewall family inet filter protect-loopback term SSH-ALLOWED then accept
    set firewall family inet filter protect-loopback term SSH-DENY from protocol tcp
    set firewall family inet filter protect-loopback term SSH-DENY from destination-port ssh
    set firewall family inet filter protect-loopback term SSH-DENY then count ssh-login-reject
    set firewall family inet filter protect-loopback term SSH-DENY then discard

     

    I can't see anything being discarded:

     

    Filter: protect-loopback-lo0.0-i
    Counters:
    Name Bytes Packets
    dropped-packets-lo0.0-i 70941 896
    ssh-login-reject-lo0.0-i 0 0

     

    Where am I going wrong?

     

    Many thanks



  • 2.  RE: lo0 firewall filter not blocking SSH

    Posted 01-27-2020 09:26

    Hi Junos3,

     

    It actually looks like it isnt even hitting the filter and is being dropped by the built in Routing Engine DDoS protector. Did you apply the filter to the Lo0 interface itself?

     

    I recommend giving this a read
    https://www.juniper.net/documentation/en_US/junos/topics/example/permitted-ip-configuring.html

    Basically I use the method of I want to Accept only this and then if anything else Discard/Reject.

    KR

    Adam



  • 3.  RE: lo0 firewall filter not blocking SSH

    Posted 01-27-2020 09:29

    Hi Adam,

     

    Thanks for the response. 

    Yes, the filter is applied to the loopback interface - 'set interfaces lo0 unit 0 family inet filter input protect-loopback'

     

    The above was just a snippet of the filter rule; there is a discard at the end also after various other terms
     



  • 4.  RE: lo0 firewall filter not blocking SSH

    Posted 01-27-2020 09:45

    Hi,

     

    What is dropped-packets-lo0.0-i doing. It looks like everything is dropped or accepted by that filter is being executed there first.

     

    Just so you know in a firewall filter when you accept it doesn't continue on the filter lists. Have you tried using the 'next term' structure?

    KR
    Adam



  • 5.  RE: lo0 firewall filter not blocking SSH

     
    Posted 01-27-2020 10:38

    Hi Junos3,

    Order of the terms in firewall filter is really important, if the culprit packets are getting accepted or dropped before reaching your SSH term you won't see the counters change.

    One easy way to confirm it to insert the SSH terms as first two term of the loopback filter using following command.

    insert firewall family inet filter protect-loopback term SSH-ALLOWED before term <first-term-name>
    insert firewall family inet filter protect-loopback term SSH-DENY after term SSH-ALLOWED

    If the above excercise solves your problem. Please check the complete firewall filter configuration and confirm if you see some term which might accpet the ssh packets.

    If you still can't find anything wrong you can provide the complete protect-loopback  configuration

    PS: Please accept my response as solution if it answers your query, kudos are appreciated too!

    Thanks
    Vishal





  • 6.  RE: lo0 firewall filter not blocking SSH

     
    Posted 01-27-2020 12:34

    Hi Junos3,

     

    Can you share the output of 'show firewall' from the operation prompt please?

     

    Cheers

    Pooja 



  • 7.  RE: lo0 firewall filter not blocking SSH

    Posted 01-28-2020 01:16

    Thanks for the replies.

    The 'dropped-packets' is at the DENY-TERM at the end so I am presuming it is things that haven't been accepted in the filter rules above it. This is the full firewall filter, as you can see there is nothing above the SSH-ALLOWED term that would accept it before that?

     

    set firewall family inet filter protect-loopback interface-specific
    set firewall family inet filter protect-loopback term BGP-ALLOW from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term BGP-ALLOW from protocol tcp
    set firewall family inet filter protect-loopback term BGP-ALLOW from destination-port bgp
    set firewall family inet filter protect-loopback term BGP-ALLOW then accept
    set firewall family inet filter protect-loopback term OSPF-ALLOW from protocol tcp
    set firewall family inet filter protect-loopback term OSPF-ALLOW from protocol ospf
    set firewall family inet filter protect-loopback term OSPF-ALLOW then accept
    set firewall family inet filter protect-loopback term SSH-ALLOWED from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term SSH-ALLOWED from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term SSH-ALLOWED from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term SSH-ALLOWED from protocol tcp
    set firewall family inet filter protect-loopback term SSH-ALLOWED from destination-port ssh
    set firewall family inet filter protect-loopback term SSH-ALLOWED then accept
    set firewall family inet filter protect-loopback term SSH-DENY from protocol tcp
    set firewall family inet filter protect-loopback term SSH-DENY from destination-port ssh
    set firewall family inet filter protect-loopback term SSH-DENY then count ssh-login-reject
    set firewall family inet filter protect-loopback term SSH-DENY then discard
    set firewall family inet filter protect-loopback term SNMP-ALLOW from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term SNMP-ALLOW from protocol udp
    set firewall family inet filter protect-loopback term SNMP-ALLOW from destination-port snmp
    set firewall family inet filter protect-loopback term SNMP-ALLOW then accept
    set firewall family inet filter protect-loopback term NTP-ALLOW from source-address x.x.x.x/32
    set firewall family inet filter protect-loopback term NTP-ALLOW from source-address x.x.x.x/32
    set firewall family inet filter protect-loopback term NTP-ALLOW from port ntp
    set firewall family inet filter protect-loopback term NTP-ALLOW then accept
    set firewall family inet filter protect-loopback term ACCEPT-LDP from protocol tcp
    set firewall family inet filter protect-loopback term ACCEPT-LDP from protocol udp
    set firewall family inet filter protect-loopback term ACCEPT-LDP from port ldp
    set firewall family inet filter protect-loopback term ACCEPT-LDP then accept
    set firewall family inet filter protect-loopback term ACCEPT-DNS from source-address x.x.x.x/32
    set firewall family inet filter protect-loopback term ACCEPT-DNS from protocol udp
    set firewall family inet filter protect-loopback term ACCEPT-DNS from source-port 53
    set firewall family inet filter protect-loopback term ACCEPT-DNS then accept
    set firewall family inet filter protect-loopback term ACCEPT-BFD from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term ACCEPT-BFD from protocol udp
    set firewall family inet filter protect-loopback term ACCEPT-BFD from source-port 49152-65535
    set firewall family inet filter protect-loopback term ACCEPT-BFD from destination-port 3784-3785
    set firewall family inet filter protect-loopback term ACCEPT-BFD then accept
    set firewall family inet filter protect-loopback term ACCEPT-TACACS from source-address x.x.x.x/32
    set firewall family inet filter protect-loopback term ACCEPT-TACACS from protocol tcp
    set firewall family inet filter protect-loopback term ACCEPT-TACACS from protocol udp
    set firewall family inet filter protect-loopback term ACCEPT-TACACS from source-port tacacs
    set firewall family inet filter protect-loopback term ACCEPT-TACACS from source-port tacacs-ds
    set firewall family inet filter protect-loopback term ACCEPT-TACACS from tcp-established
    set firewall family inet filter protect-loopback term ACCEPT-TACACS then accept
    set firewall family inet filter protect-loopback term ICMP-FRAGS from is-fragment
    set firewall family inet filter protect-loopback term ICMP-FRAGS from protocol icmp
    set firewall family inet filter protect-loopback term ICMP-FRAGS then discard
    set firewall family inet filter protect-loopback term ICMP-ALLOW from source-prefix-list xxxx
    set firewall family inet filter protect-loopback term ICMP-ALLOW from protocol icmp
    set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type echo-reply
    set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type echo-request
    set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type unreachable
    set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type time-exceeded
    set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type source-quench
    set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type router-advertisement
    set firewall family inet filter protect-loopback term ICMP-ALLOW from icmp-type parameter-problem
    set firewall family inet filter protect-loopback term ICMP-ALLOW then accept
    set firewall family inet filter protect-loopback term TRACEROUTE-ALLOW from protocol udp
    set firewall family inet filter protect-loopback term TRACEROUTE-ALLOW from destination-port 33434-33523
    set firewall family inet filter protect-loopback term TRACEROUTE-ALLOW then accept
    set firewall family inet filter protect-loopback term DENY-TERM then count dropped-packets
    set firewall family inet filter protect-loopback term DENY-TERM then log
    set firewall family inet filter protect-loopback term DENY-TERM then discard

     

    show firewall log:

     

    show firewall

    Filter: protect-loopback-lo0.0-i
    Counters:
    Name Bytes Packets
    dropped-packets-lo0.0-i 3264163 42053
    ssh-login-reject-lo0.0-i 0 0



  • 8.  RE: lo0 firewall filter not blocking SSH

    Posted 01-28-2020 01:49

    I have just tried adding the SSH-ALLOWED term right at the top but it still didn't seem to block the incoming connections. Maybe it is something to do with the prefix-lists not working?



  • 9.  RE: lo0 firewall filter not blocking SSH

    Posted 01-28-2020 02:04

    I think it's the terms a little confused on deny

     

    Easiest way to explain this is below.

    Set the allowed SSH-IP's into a list... something like the below...

     

    prefix-list manager-ip {
    10.0.0.0/8;
    192.168.4.254/32;
     
    Then we can do some cool things on the deny like... (you'd have to do the accept to the variable prefix list)
     
    user@host# set firewall family inet filter protect-loopback term SSH-DENY from source-prefix-list manager-ip except 
    user@host# set firewall family inet filter protect-loopback term SSH-DENY from protocol tcp
    user@host# set firewall family inet filter protect-loopback term SSH-DENY from destination-port ssh
    user@host# set firewall family inet filter protect-loopback term SSH-DENY then count ssh-login-reject
    user@host# set firewall family inet filter protect-loopback term SSH-DENY then discard 
     
    KR

    Adam


  • 10.  RE: lo0 firewall filter not blocking SSH

    Posted 01-28-2020 04:11

    Adding the SSH-ALLOWED and SSH-DENY at the top did indeed get it to work, my apologies. 

    So as you say, this term allowed the protocol any tcp:

    set firewall family inet filter protect-loopback term OSPF-ALLOW from protocol tcp
    set firewall family inet filter protect-loopback term OSPF-ALLOW from protocol ospf
    set firewall family inet filter protect-loopback term OSPF-ALLOW then accept

     

    Does this therefore allow protocol TCP but only destined for SSH port 22?:

     

    set firewall family inet filter protect-loopback term SSH-ALLOWED from protocol tcp
    set firewall family inet filter protect-loopback term SSH-ALLOWED from destination-port ssh

     

    Thanks for your help, I am fairly new to Junos!

     

     

     

     



  • 11.  RE: lo0 firewall filter not blocking SSH

    Posted 01-28-2020 04:17

    Hello,

     


    @junos3 wrote:

     

    Does this therefore allow protocol TCP but only destined for SSH port 22?:

     

    set firewall family inet filter protect-loopback term SSH-ALLOWED from protocol tcp
    set firewall family inet filter protect-loopback term SSH-ALLOWED from destination-port ssh

     

    Yes if there are NO OTHER terms allowing ANY TCP port above this term in the filter.

     

    HTH

    Thx

    Alex

     

     

     



  • 12.  RE: lo0 firewall filter not blocking SSH
    Best Answer

    Posted 01-28-2020 02:30

    Hello,

     

    You allow _ANY_ TCP port in term OSPF-ALLOW:

     


    @junos3 wrote:

    <skip>

    set firewall family inet filter protect-loopback term OSPF-ALLOW from protocol tcp
    set firewall family inet filter protect-loopback term OSPF-ALLOW from protocol ospf
    set firewall family inet filter protect-loopback term OSPF-ALLOW then accept

    <skip>

     

     

    Hence, Your SSH attempts will be always allowed and won't even be seen/processed by the subsequent filter terms.

     

    HTH

    Thx
    Alex