While it is functionally correct, I'll elaborate a bit more on this one for additional clarity:
Yes BGP needs return traffic, but that's not really the problem here because the loopback filter is typically configured as an inbound filter, so it doesnt act on outbound traffic.
The bigger problem is that BGP can be initiated in two directions.
Let's say you have this filter on router A, and router B is your peer:
- If router B has initiated the session, then router B connects to destination-port 179/TCP on the router, and router A responds with source-port 179/TCP
- This will work with your current filter, it is properly accepting destination-port 179/TCP
- If router A initiates the session it sends out traffic with destination-port 179/TCP, and will receive responses with source-port 179/TCP
- This will not work with your current filter as it does not accept traffic with source-port 179/TCP
I would recommend changing your BGP term to not have destination-port 179, but instead use "port 179" if your platform supports it, or otherwise create a separate term to also allow source-port 179/TCP alongside this one.
Also, as it was not shared, I would just like to recommend that you use the "apply-path" filter to ensure your BGP peers prefixlist is a dynamically populated prefixlist with all your configured BGP peers (if you've already done so, then of course that's excellent) :)
Original Message:
Sent: 07-31-2024 16:12
From: Anonymous
Subject: Firewall Filter
This message was posted by a user wishing to remain anonymous
BGP will need a return traffic filter as well. So, source port 179 with your source address BGP peers.
And I assume to lost mgmt because you were managing it via the BGP route and you lost bgp.
Original Message:
Sent: 07-31-2024 14:54
From: Unknown User
Subject: Firewall Filter
Hello,
I applied the following filter to my loopback interface and lost MGT access and my BGP peers dropped. I have verified the prefix lists contain the correct IP address. Any help is appreciated.
filter PROTECT-RE {
term T1 {
/* Allow Management */
from {
source-prefix-list {
MGMT_Net;
}
destination-port [ ssh https telnet http ntp snmp ];
}
then accept;
}
term T2 {
/* Allow BGP Peers */
from {
source-prefix-list {
BGP_ROUTING_PEERS;
}
protocol tcp;
destination-port bgp;
}
then accept;
}
term T3 {
/* Discard and Log RFC1918 */
from {
destination-prefix-list {
RFC1918;
}
}
then {
log;
discard;
}
}
term T4 {
then {
discard;
}
Thanks,
Matt