vSRX

 View Only
last person joined: 17 days ago 

Ask questions and share experiences with vSRX Virtual Firewall deployments and how to scale firewall protection.
  • 1.  Why isn't this Firewall filter working?

    Posted 02-16-2021 21:33

    I've got this applied to an interface that has an IP address of 10.4.2.17/29

    However, I can still SSH to .18 from a subnet other than the .238 subnet. 

    what do I have wrong? 


    term A {
        from {
            source-address {
                192.168.238.32/32;
            }
            destination-address {
                10.4.2.16/29;
            }
            destination-port [ ssh https ];
        }
        then accept;
    }
    term B {
        from {
            source-address {
                0.0.0.0/0;
            }
            destination-address {
                10.4.2.16/29;
            }
            destination-port [ ssh https ];
        }
        then {
            discard;
        }
    }
    term C {
        then accept;


  • 2.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 02:58
    In which direction have you applied the firewall filter? From what I understand of your requirements it should be applied in the outbound direction (firewall family inet filter output <filter-name>).

    ------------------------------
    --
    Jonas Hauge Klingenberg - Juniper Ambassador
    ------------------------------



  • 3.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 07:37

    Well you just put my brain in a pretzel!

    why would that be outbound?

    the flow would start from outside the interface and destination (10.4..x.x) would be inside said interface. 




  • 4.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 08:21
    Firewall filters are seen from the router point of view.

    Example: traffic received on  ge-0/0/0.0 on a Junos device will be evaluated by  the "filter input <filter-name>" where traffic sent out of the interface is evaluated by the "filter output <filter-name>".

    In your case traffic is received on interface X and sent out on interface Y with an IP of 10.4.2.17/29... and with your provided filter, it has to be added on the output chain.


    ------------------------------
    --
    Jonas Hauge Klingenberg - Juniper Ambassador
    ------------------------------



  • 5.  RE: Why isn't this Firewall filter working?

    Posted 02-17-2021 08:29

    Oh duh. 


    it can't apply an acl until it knows what the traffic is destined!