Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Filtering traffic on FXP interface

    Posted 10-27-2021 09:33
    Hello;
    I have a prefix list and firewall filter applied to the Lo0.0 interface in input direction. If I try to ssh to the loopback IP address from a PC with random IP address, I cannot see the login prompt on the terminal window which is expected. But when I try to ssh to the IP addresses assigned to the FXP 0 interface, router asks me to enter password, which is not expected, as the source address is not among allowed list. I should not be able to see login prompt when connecting to the FXP 0 interface on MX router from a PC that its IP address is not among my allowed prefix list. So how can I apply my filter to the FXP interface?
    set interfaces lo0 unit 0 family inet address 10.10.1.1/32
    set interfaces lo0 unit 0 family inet filter input MGMT-FILTER
    
    set firewall filter MGMT-FILTER term SSH from prefix-list SSH
    set firewall filter MGMT-FILTER term SSH from protocol tcp
    set firewall filter MGMT-FILTER term SSH from destination-port ssh
    set firewall filter MGMT-FILTER term SSH then accept
    set firewall filter MGMT-FILTER term SSH-DENY from protocol tcp
    set firewall filter MGMT-FILTER term SSH-DENY from destination-port ssh
    set firewall filter MGMT-FILTER term SSH-DENY then discard
    set firewall filter MGMT-FILTER term DEFAULT then accept
    ​

    Prefix list:
    set policy-options prefix-list SSH 10.0.0.0/8
    set policy-options prefix-list SSH 192.168.1.0/24
    ​

    My MX router has 2 Route Engines in HA mode and its configuration is like this:

    groups
        re0
            system
                host-name mx-re0
                backup-router 172.16.10.1 destination 0.0.0.0/0
            interfaces
                fxp0
                    unit 0
                        family inet
                            address 172.16.10.100/24
                                master-only
                            address 172.16.10.101/24
    
        re1
            system
                host-name mx-re1
                backup-router 172.16.10.1 destination 0.0.0.0/0
            interfaces
                fxp0
                    unit 0
                        family inet
                            address 172.16.10.100/24
                                master-only
                            address 172.16.10.102/24
    ​


    As seen above, FXP 0 interface IP addresses are 172.16.10.101 and 172.16.10.102 and shared IP address of them is 172.16.10.100. These IP addresses are reachable to me. 

    To test the filter, I have a device that I'm going to use and its IP address is 10.20.20.1 
    Test from PC (10.20.20.1):

    pc1> ssh root@172.16.10.100
    ECDSA key fingerprint is SHA256:TQonFpuShz67EkwdcE1g.
    Are you sure you want to continue connecting (yes/no)? yes
    Password:
    Password:
    .
    .
    .
    pc1> ssh root@10.10.1.1
    ^C
    ​

    As it is seen, ssh to loopback IP address was blocked and the password prompt was not shown to me, but I got the password prompt while ssh'ing to the IP address of FXP 0 interface. Any idea?

    Regards;

    ------------------------------
    TAYMAZ MOHSENZADEH
    ------------------------------


  • 2.  RE: Filtering traffic on FXP interface

    Posted 10-28-2021 09:47
    Hello,

    I would say it's all working as expected.

    Your prefix-list SSH - allows IP range
    10.0.0.0/8​


    And your "Test SRC IP" is 10.20.20.1 << so matching the allowed range.

    BR,

    Andrei




  • 3.  RE: Filtering traffic on FXP interface

    Posted 10-28-2021 09:47
    Hello,
    The way your firewall filter is constructed, using "from prefix-list SSH" will allow all traffic from or to 10.0.0.0/8, as well as from or to 192.168.0.0/16. 

    If you want to deny traffic FROM 10.0.0.0/8 and 192.168.0.0/16, you need to use the 'from source-prefix-list SSH' in the filter. Otherwise 'from prefix-list' will look at both the source and destination IP and if either one falls into what is in the prefix-list, the term will be matched.

    ------------------------------
    Eric Van Tol
    ------------------------------