Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Filtering traffic on FXP interface

    Posted 10-27-2021 09:33
    Hello;
    I have a prefix list and firewall filter applied to the Lo0.0 interface in input direction. If I try to ssh to the loopback IP address from a PC with random IP address, I cannot see the login prompt on the terminal window which is expected. But when I try to ssh to the IP addresses assigned to the FXP 0 interface, router asks me to enter password, which is not expected, as the source address is not among allowed list. I should not be able to see login prompt when connecting to the FXP 0 interface on MX router from a PC that its IP address is not among my allowed prefix list. So how can I apply my filter to the FXP interface?
    set interfaces lo0 unit 0 family inet address 10.10.1.1/32
    set interfaces lo0 unit 0 family inet filter input MGMT-FILTER
    
    set firewall filter MGMT-FILTER term SSH from prefix-list SSH
    set firewall filter MGMT-FILTER term SSH from protocol tcp
    set firewall filter MGMT-FILTER term SSH from destination-port ssh
    set firewall filter MGMT-FILTER term SSH then accept
    set firewall filter MGMT-FILTER term SSH-DENY from protocol tcp
    set firewall filter MGMT-FILTER term SSH-DENY from destination-port ssh
    set firewall filter MGMT-FILTER term SSH-DENY then discard
    set firewall filter MGMT-FILTER term DEFAULT then accept
    ​

    Prefix list:
    set policy-options prefix-list SSH 10.0.0.0/8
    set policy-options prefix-list SSH 192.168.1.0/24
    ​

    My MX router has 2 Route Engines in HA mode and its configuration is like this:

    groups
        re0
            system
                host-name mx-re0
                backup-router 172.16.10.1 destination 0.0.0.0/0
            interfaces
                fxp0
                    unit 0
                        family inet
                            address 172.16.10.100/24
                                master-only
                            address 172.16.10.101/24
    
        re1
            system
                host-name mx-re1
                backup-router 172.16.10.1 destination 0.0.0.0/0
            interfaces
                fxp0
                    unit 0
                        family inet
                            address 172.16.10.100/24
                                master-only
                            address 172.16.10.102/24
    ​


    As seen above, FXP 0 interface IP addresses are 172.16.10.101 and 172.16.10.102 and shared IP address of them is 172.16.10.100. These IP addresses are reachable to me. 

    To test the filter, I have a device that I'm going to use and its IP address is 10.20.20.1 
    Test from PC (10.20.20.1):

    pc1> ssh root@172.16.10.100
    ECDSA key fingerprint is SHA256:TQonFpuShz67EkwdcE1g.
    Are you sure you want to continue connecting (yes/no)? yes
    Password:
    Password:
    .
    .
    .
    pc1> ssh root@10.10.1.1
    ^C
    ​

    As it is seen, ssh to loopback IP address was blocked and the password prompt was not shown to me, but I got the password prompt while ssh'ing to the IP address of FXP 0 interface. Any idea?

    Regards;

    ------------------------------
    TAYMAZ MOHSENZADEH
    ------------------------------


  • 2.  RE: Filtering traffic on FXP interface

    Posted 30 days ago
    Hello,

    I would say it's all working as expected.

    Your prefix-list SSH - allows IP range
    10.0.0.0/8​


    And your "Test SRC IP" is 10.20.20.1 << so matching the allowed range.

    BR,

    Andrei




  • 3.  RE: Filtering traffic on FXP interface

    Posted 30 days ago
    Hello,
    The way your firewall filter is constructed, using "from prefix-list SSH" will allow all traffic from or to 10.0.0.0/8, as well as from or to 192.168.0.0/16. 

    If you want to deny traffic FROM 10.0.0.0/8 and 192.168.0.0/16, you need to use the 'from source-prefix-list SSH' in the filter. Otherwise 'from prefix-list' will look at both the source and destination IP and if either one falls into what is in the prefix-list, the term will be matched.

    ------------------------------
    Eric Van Tol
    ------------------------------