Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Firewall filter "except" doubt

    Posted 08-27-2021 14:06
    Hi,

    I have a MX router connecting to two ISPs, I want to implement a simple inbound filter on the uplink interfaces to block BGP connection attempts except configured ISP peers, I have the following configuration:

    set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
    set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers except
    set firewall family inet filter allow_inbound term bgp from port bgp
    set firewall family inet filter allow_inbound term bgp then reject

    The above configuration seems to be reasonable, but it is not working, i.e, it does not block unwanted BGP connection attempts, anything wrong?

    John

    ------------------------------
    John Gerro
    ------------------------------


  • 2.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 05:44
    From what I'm seeing here
    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-stateless-match-conditions-address-fields.html

    except may not work with source-prefix-list but rather only with address/source-address/destination-address.

    Here's an alternative way to accomplish this, however.

    set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
    set firewall family inet filter allow_inbound term bgp-peers from source-prefix-list ISP_peers
    set firewall family inet filter allow_inbound term bgp-peers from port bgp
    set firewall family inet filter allow_inbound term bgp-peers then accept
    set firewall family inet filter allow_inbound term bgp-all-else then reject

    Accept your configured peers, reject all other requests to/from port 179.


    ------------------------------
    Bryton Herdes
    next-hopself.net
    JNCIE-SP #3023
    JNCIE-DC #401
    ------------------------------



  • 3.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 05:44
    You lack an IP match. You have an exception match, but an exception to what? To nothing for now :)

    set policy-options prefix-list Any-v4 0.0.0.0/0
    set firewall family inet filter allow_access_in term bgp from source-prefix-list Any-v4
    insert firewall family inet filter allow_access_in term bgp from source-prefix-list Any-v4 after isp-peer
    (previous line is redundant, but this way you understand that the Any-v4 source pfxlist should be the last one, as the exceptions must be the first ones)
    set firewall family inet filter allow_access_in term bgp from protocol tcp
    (previous line has nothing to do with your question BUT it's a good practice)

    And I would suggest to use discard instead of reject.

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 4.  RE: Firewall filter "except" doubt

    Posted 08-29-2021 05:22
    By the way, since you write that «it does not block unwanted BGP connection attempts», I suppose that you have the appropriate default/catch-all last term with a «then accept», or a subsequent term to blindly accept tcp+port bgp.


    ------------------------------
    Olivier Benghozi
    ------------------------------