Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Filter and term for discard any request to particular port from any outside network

    Posted 09-30-2023 12:49

    Dear Team

    Please help me to create two filter and term for the following condition from JunOS router.

    1. discard traffic from outside network to a particular port destined for internal public server.
    2. discard any traffic from outside network to particular internal public server.

    Thanks in advance !!!!



    ------------------------------
    SOUMEN GHOSH
    ------------------------------


  • 2.  RE: Filter and term for discard any request to particular port from any outside network

    Posted 10-03-2023 03:55

    Hi,

    Here, for the sake of explanation, I would assume that your internal network is 10.10.10.0/24. If I understood your requirement correctly, we can create the filters in the following way.

    1. The term internal in the filter below will allow access for the internal network. The term "external_to_server" will reject the traffic from any other network to the server's IP on a particular port. The term default will accept any other traffic, assuming that you want other traffic to be accepted.

    set firewall family inet filter protect_server term internal from source-address 10.10.10.0/24
set firewall family inet filter protect_server term internal then accept
set firewall family inet filter protect_server term external_to_server from destination-address <server_address>
set firewall family inet filter protect_server term external_to_server from destination-port <server_port>
set firewall family inet filter protect_server term external_to_server then reject
set firewall family inet filter protect_server term defaut then accept

    2) For the requirement 2, the filter can be created in the same way as the previous filter. The only modification needed is to remove the statement with destination port in the term "external_to_server"

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 3.  RE: Filter and term for discard any request to particular port from any outside network

    Posted 10-03-2023 13:34

    I appreciate Mr. Seetanshu the way  you answered my previous question and this one. I managed myself to build the desired filter and term.

    One thing I have noticed in an old junos device which I have as a spare a term like " TTL 1 then discard " written inside of a filter.

    Can you please describe the meaning of that particular term?



    ------------------------------
    SOUMEN GHOSH
    ------------------------------

    Original Message


  • 4.  RE: Filter and term for discard any request to particular port from any outside network

    Posted 10-04-2023 03:37

    Hi,

    "TTL 1 then discard" would mean that if the device receives a packet that has a time-to-live value of 1 hop (which would mean that the packet would be destined for that device, but this depends on your topology and design) then as an action of the firewall filter, the packet will be discarded.

    Discarded means that the packets will be dropped silently. If the action was reject, then an ICMP "destination unreachable" message would be sent back.

    Please let me know if you still have any question on this.

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message