Junos OS

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  Firewall Filter

    Posted 07-31-2024 14:55

    Hello,

    I applied the following filter to my loopback interface and lost MGT access and my BGP peers dropped. I have verified the prefix lists contain the correct IP address. Any help is appreciated.

    filter PROTECT-RE {
            term T1 {
                /* Allow Management */
                from {
                    source-prefix-list {
                        MGMT_Net;
                    }
                    destination-port [ ssh https telnet http ntp snmp ];
                }
                then accept;
            }
            term T2 {
                /* Allow BGP Peers */
                from {
                    source-prefix-list {
                        BGP_ROUTING_PEERS;
                    }
                    protocol tcp;
                    destination-port bgp;
                }
                then accept;
            }
            term T3 {
                /* Discard and Log RFC1918 */
                from {
                    destination-prefix-list {
                        RFC1918;
                    }
                }
                then {
                    log;
                    discard;
                }
            }
            term T4 {
                then {
                    discard;
                }

    Thanks,

    Matt



  • 2.  RE: Firewall Filter

    This message was posted by a user wishing to remain anonymous
    Posted 07-31-2024 16:12
    This message was posted by a user wishing to remain anonymous

    BGP will need a return traffic filter as well. So, source port 179 with your source address BGP peers.

    And I assume to lost mgmt because you were managing it via the BGP route and you lost bgp.




  • 3.  RE: Firewall Filter

    Posted 07-31-2024 16:17

    Thank you for the response.  Would you mind providing an example of the "return traffic filter".

    Regarding management. I am connecting to the management interface of the router. This is not advertised through BGP. Would you have any idea as to why I lost that connectivity?

    Thanks,

    Matt




  • 4.  RE: Firewall Filter

    This message was posted by a user wishing to remain anonymous
    Posted 07-31-2024 16:39
    This message was posted by a user wishing to remain anonymous

    Add this term at the TOP

         term T0  {
                /* Allow TCP Established */
                from {
                    protocol tcp;
                    tcp-established;
                }
                then accept;
            }

    So, this ensures that all TCP return traffic is also allowed. The firewall filters are not stateful so any return packet coming IN to the router will be dropped if you do not explicitly allow it. 

    This should take care of mgmt traffic as well.




  • 5.  RE: Firewall Filter

    Posted 07-31-2024 20:50

    That makes sense. I will test it out. Thank you for your help.




  • 6.  RE: Firewall Filter

     
    Posted 08-01-2024 06:00

    This will only work for traffic that is initiated by the device itself, and getting TCP return traffic (so if you are on the router and SSH'ing outbound and getting reply traffic for example). This would not explain why there are problems managing the device.

    My question for the start poster is as follows: How did you put this filter on the loopback interface? Did you put it as an input filter or an output filter? You will want to put these filters as "input" filters (and only input, not output), and looking at how your filter is phrased that is also the intent, but just making sure that you have indeed configured the filter in the correct "orientation"




  • 7.  RE: Firewall Filter

     
    Posted 08-01-2024 05:57

    While it is functionally correct, I'll elaborate a bit more on this one for additional clarity:

    Yes BGP needs return traffic, but that's not really the problem here because the loopback filter is typically configured as an inbound filter, so it doesnt act on outbound traffic.

    The bigger problem is that BGP can be initiated in two directions.

    Let's say you have this filter on router A, and router B is your peer:

    • If router B has initiated the session, then router B connects to destination-port 179/TCP on the router, and router A responds with source-port 179/TCP
      • This will work with your current filter, it is properly accepting destination-port 179/TCP
    • If router A initiates the session it sends out traffic with destination-port 179/TCP, and will receive responses with source-port 179/TCP
      • This will not work with your current filter as it does not accept traffic with source-port 179/TCP

    I would recommend changing your BGP term to not have destination-port 179, but instead use "port 179" if your platform supports it, or otherwise create a separate term to also allow source-port 179/TCP alongside this one.

    Also, as it was not shared, I would just like to recommend that you use the "apply-path" filter to ensure your BGP peers prefixlist is a dynamically populated prefixlist with all your configured BGP peers (if you've already done so, then of course that's excellent) :)