Junos OS

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about Junos OS.
Expand all | Collapse all

Firewall Filter not working as intended - DNS allowed but still "blocked"

  • 1.  Firewall Filter not working as intended - DNS allowed but still "blocked"

    Posted 10-06-2022 17:27
    Hello all -- trying to restrict devices on a vlan\subnet to only DNS queries and HTTPS. Don't want the rest of the network accessing said subnet. Just want DNS queries to our local dns servers- who then forward the responses over...then HTTPS connections out.

    So far I have this as a filter. (see below) a NSLOOKUP to a public website times out. A Wireshark on the client shows only the requests from the client- no traffic being returned. And incidentally, none of my FF counters show anything at all- You would assume the reject counter would increment at least (??) Using the "domain" protocol keyword in Junos did nothing different either - I thought to sperate it via UDP an TCP

    The filter is set as an output filter on the IRB (vlan) interface of our building core switch as shown (EX 4300)....   any help would be appreciated! Thanks...Dennis
    unit 23 {
    description "US Credit Subnet";
    family inet {
    filter {
    output CREDIT-RESTRICT;
    }
    address 10.2.3.1/24;
    *************************************************************************
    filter CREDIT-RESTRICT {
    term DNS-UDP {
    from {
    source-prefix-list {
    CREDIT-NETS;
    }
    protocol udp;
    destination-port 53;
    }
    then {
    count CREDIT-COUNT-DNS-UDP;
    accept;
    }
    }
    term DNS-TCP {
    from {
    source-prefix-list {
    CREDIT-NETS;
    }
    protocol tcp;
    destination-port 53;
    }
    then {
    count CREDIT-COUNT-DNS-TCP;
    accept;
    }
    }
    term HTTPS {
    from {
    source-prefix-list {
    CREDIT-NETS;
    }
    destination-port https;
    }
    then {
    count CREDIT-COUNT-HTTPS;
    accept;
    }
    }
    term REJECT {
    from {
    source-prefix-list {
    CREDIT-NETS;
    }
    }
    then {
    count CREDIT-COUNT-REJECT;
    discard;
    }


    ------------------------------
    DENNIS TOPO
    ------------------------------


  • 2.  RE: Firewall Filter not working as intended - DNS allowed but still "blocked"

    Posted 10-10-2022 16:15
    Ok- my issue was self inflicted ! Had my logic wrong - the firewall filter needs to be applied to the IRB interface as INPUT, not OUTPUT....! All is working now

    ------------------------------
    DENNIS TOPO
    ------------------------------