Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Firewall filter "except" doubt

  • 1.  Firewall filter "except" doubt

    Posted 08-27-2021 14:06
    Hi,

    I have a MX router connecting to two ISPs, I want to implement a simple inbound filter on the uplink interfaces to block BGP connection attempts except configured ISP peers, I have the following configuration:

    set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
    set firewall family inet filter allow_inbound term bgp from source-prefix-list ISP_peers except
    set firewall family inet filter allow_inbound term bgp from port bgp
    set firewall family inet filter allow_inbound term bgp then reject

    The above configuration seems to be reasonable, but it is not working, i.e, it does not block unwanted BGP connection attempts, anything wrong?

    John

    ------------------------------
    John Gerro
    ------------------------------


  • 2.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 05:44
    From what I'm seeing here
    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-stateless-match-conditions-address-fields.html

    except may not work with source-prefix-list but rather only with address/source-address/destination-address.

    Here's an alternative way to accomplish this, however.

    set policy-options prefix-list ISP_peers apply-path "protocols bgp group <*> neighbor <*>"
    set firewall family inet filter allow_inbound term bgp-peers from source-prefix-list ISP_peers
    set firewall family inet filter allow_inbound term bgp-peers from port bgp
    set firewall family inet filter allow_inbound term bgp-peers then accept
    set firewall family inet filter allow_inbound term bgp-all-else then reject

    Accept your configured peers, reject all other requests to/from port 179.


    ------------------------------
    Bryton Herdes
    next-hopself.net
    JNCIE-SP #3023
    JNCIE-DC #401
    ------------------------------



  • 3.  RE: Firewall filter "except" doubt

    Posted 08-28-2021 05:44
    You lack an IP match. You have an exception match, but an exception to what? To nothing for now :)

    set policy-options prefix-list Any-v4 0.0.0.0/0
    set firewall family inet filter allow_access_in term bgp from source-prefix-list Any-v4
    insert firewall family inet filter allow_access_in term bgp from source-prefix-list Any-v4 after isp-peer
    (previous line is redundant, but this way you understand that the Any-v4 source pfxlist should be the last one, as the exceptions must be the first ones)
    set firewall family inet filter allow_access_in term bgp from protocol tcp
    (previous line has nothing to do with your question BUT it's a good practice)

    And I would suggest to use discard instead of reject.

    ------------------------------
    Olivier Benghozi
    ------------------------------



  • 4.  RE: Firewall filter "except" doubt

    Posted 08-29-2021 05:22
    By the way, since you write that «it does not block unwanted BGP connection attempts», I suppose that you have the appropriate default/catch-all last term with a «then accept», or a subsequent term to blindly accept tcp+port bgp.


    ------------------------------
    Olivier Benghozi
    ------------------------------