SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Firewall Filter problem on Juniper SRX240H

    Posted 23 days ago
    Hello I'm having a strange behaviour of firewall filter on a Juniper SRX 240H (JUNOS 10.0R3.10 built 2010-04-16)
    show chassis hardware 
    Hardware inventory:
    Item             Version  Part number  Serial number     Description
    Chassis                                AG3710AA0039      SRX240-hm
    Routing Engine   REV 42   750-021793   AABY9904          RE-SRX240-HM
    FPC 0                                                    FPC
      PIC 0                                                  16x GE Base PIC
    Power Supply 0  
     
    I know that the apparatus is very old and that the Junos version is very old as well.
    Here the problem:
     
    Since few days my company changed ISP. Now we have two link connecting the site configured by ISP operators with VRRP protocol:
                                                      SRX 240
    ISP Router 1 \                                    ____________________________________
                  \                              ____| ge-0/0/8                          |
                   \ ___________________________/    |         \                         |
                    | ISP public network (VRRP)|     |          |-- vlan.2 logical int   |
                   /|__________________________|     |         /                         |
                  /                             \____| ge-0/0/9                          |
    ISP Router 2 /                                   |___________________________________|
    On SRX side I configured two physical interfaces (one for each link) with ethernet-swithing and I assigned l3 logical interface (vlan.2):
    set interfaces interface-range wind member ge-0/0/8
    set interfaces interface-range wind member ge-0/0/9
    set interfaces interface-range wind unit 0 family ethernet-switching vlan members vlan-rete-wind
    set interfaces vlan unit 2 description VLAN-RETE-WIND-id-20
    set interfaces vlan unit 2 family inet address <public IP on ISP network>
    set security zones security-zone untrust interfaces vlan.2
    set vlans vlan-rete-wind vlan-id 20
    set vlans vlan-rete-wind l3-interface vlan.2
    In this way VRRP traffic flows without problem. Now, since the l3 logical interface has a public IP on the ISP network, I configured a firewall filter to limit SSH access to this interface. The problem is that this filter does not work as intended: the traffic from ANY public IP on the Internet pass through the the l3 logical interface without limitation. Here the filter:
    set interfaces ge-0/0/5 unit 0 family inet filter input FWF-IN
    set interfaces vlan unit 2 family inet filter input FWF-IN
    set firewall filter FWF-IN term allow_ssh from address <My company public network>
    set firewall filter FWF-IN term allow_ssh from protocol tcp
    set firewall filter FWF-IN term allow_ssh from destination-port ssh
    set firewall filter FWF-IN term allow_ssh then log
    set firewall filter FWF-IN term allow_ssh then accept
    set firewall filter FWF-IN term block_ssh from protocol tcp
    set firewall filter FWF-IN term block_ssh from destination-port ssh
    set firewall filter FWF-IN term block_ssh then log
    set firewall filter FWF-IN term block_ssh then discard
    set firewall filter FWF-IN term block_telnet from destination-port telnet
    set firewall filter FWF-IN term block_telnet then discard
    set firewall filter FWF-IN term default then accept
    The same filter was applied to the old ISP interface, which was a physical interface (ge-0/0/5) since the old ISP served the site with just one link. In that case the filter worked like a charm:
                                                    SRX 240
                                                  ____________ 
                       ____________________      |            |
    Old ISP Router ---| ISP public network |-----| ge-0/0/5.0 |
                      |____________________|     |____________|
    Both l3 logical interface of the new ISP and physical interface of the old ISP are in the untrust zone:
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust host-inbound-traffic system-services ssh
    set security zones security-zone untrust host-inbound-traffic protocols vrrp
    set security zones security-zone untrust interfaces ge-0/0/5.0
    set security zones security-zone untrust interfaces vlan.2
     
    I tried the following solutions which do not worked:
    (1)
    Put the FWF on the loopback interface:
    set interfaces lo0 unit 0 family inet filter input FWF-IN
     
    (2)
    Create a security policy from zone untrust to zone untrust:
    set security zones security-zone untrust address-book address public-isp-network <ISP network>
    set security policies from-zone untrust to-zone untrust policy allow_ssh_fub match source-address public-isp-network
    set security policies from-zone untrust to-zone untrust policy allow_ssh_fub match destination-address any
    set security policies from-zone untrust to-zone untrust policy allow_ssh_fub match application junos-ssh
    set security policies from-zone untrust to-zone untrust policy allow_ssh_fub then permit
    set security policies from-zone untrust to-zone untrust policy block_ssh match source-address any
    set security policies from-zone untrust to-zone untrust policy block_ssh match destination-address any
    set security policies from-zone untrust to-zone untrust policy block_ssh match application junos-ssh
    set security policies from-zone untrust to-zone untrust policy block_ssh then deny
    set security policies from-zone untrust to-zone untrust policy default match source-address any
    set security policies from-zone untrust to-zone untrust policy default match destination-address any
    set security policies from-zone untrust to-zone untrust policy default match application any
    set security policies from-zone untrust to-zone untrust policy default then permit
    set security policies from-zone untrust to-zone untrust policy allow_ssh_fub then log session-init
    set security policies from-zone untrust to-zone untrust policy allow_ssh_fub then log session-close
    set security policies from-zone untrust to-zone untrust policy block_ssh then log session-init
    set security policies from-zone untrust to-zone untrust policy block_ssh then log session-close
     
    (3)
    Assign FWF to physical interfaces under vlan.2 and assign them to the untrusted zone:
    set interfaces ge-0/0/8 unit 0 family ethernet-switching filter input FWF-IN
    set security zones security-zone untrust interfaces ge-0/0/8.0
    set interfaces ge-0/0/9 unit 0 family ethernet-switching filter input FWF-IN
    set security zones security-zone untrust interfaces ge-0/0/9.0
    set interfaces vlan unit 2 family inet filter input FWF-IN
     
    I tried to run "show firewall log" but the output just showed that traffic from any public IP on the Internet to the new ISP interface vlan.2 was allowed. In reverse, traffic to old ISP interface ge-0/0/5.0 was denyied expect for configured network in the firewall filter.
     
    The only solution which works is to delete host-inbound-traffic on the untrust zone for the ssh service:
    set security zones security-zone untrust host-inbound-traffic system-services ssh
     
    Of course this solution is not ideal since I can reach the router only from the trusted zone on its private IP.
    Anyone expericed this problem? I found very strange that the firewall filter works on physical interface ge-0/0/5.0 and not on l3 logical interface vlan.2
    Thank you in advace.


    ------------------------------
    Mario Paoli
    ------------------------------


  • 2.  RE: Firewall Filter problem on Juniper SRX240H

    Posted 22 days ago

    Sounds like a bug with the virtual interface.

    The security policy you note above does not apply.  These only apply to traffic that both ingress and egress is via an SRX interface.  The zone you use for a security policy where traffic terminates on the SRX is junos-host.   So the policy that could replace the filter would be from untrust to junos-host.

    But I'm not sure which Junos version introduced this option so it may not be as far back as junos 10

    example

    https://supportportal.juniper.net/s/article/SRX-Configuration-Example-How-to-limit-self-traffic-using-Security-Policies?language=en_US



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Firewall Filter problem on Juniper SRX240H

    Posted 21 days ago

    Unfortunately, looks like junos-host was introduced in 11.4. Dug this up:

    https://supportportal.juniper.net/s/article/SRX-How-to-log-the-host-inbound-traffic-in-syslog?language=en_US

    What about using an ethernet-switching firewall filter applied on the two ports instead of inet filter on vlan.2? I think ethernet-switching filters may still be able match IP address and port number and do the job ...



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 4.  RE: Firewall Filter problem on Juniper SRX240H

    Posted 21 days ago

    There's also another possible workaround (I've used this to place system services on "custom" ports before said services supported changing the port number they listen on, though I don't how well it would work in JunOS 10):

    1. set up a loopback interface with some private IP
    2. put lookback interface in a new zone with ssh enabled (say, zone "local")
    3. disable ssh on the untrust zone
    4. add dnat rule from zone untrust, ip of vlan.2, port 22 (or whatever port you like) -> dnat pool with address of the loopback interface, port 22
    5. policy / policies from-zone untrust to-zone local to control who can and can't connect
    6. if vlan.2 is in a non-default routing instance, it will need the loopback interface route imported


    ------------------------------
    Nikolay Semov
    ------------------------------



  • 5.  RE: Firewall Filter problem on Juniper SRX240H

    Posted 5 days ago

    Hello.

    Thanks for all your kind replies. I will give a try to proposed solutions and I will give a feedback as soon as I can.

    Mario Paoli



    ------------------------------
    MARIO PAOLI
    ------------------------------