Hello.
Thanks for all your kind replies. I will give a try to proposed solutions and I will give a feedback as soon as I can.
Original Message:
Sent: 08-17-2024 22:31
From: Nikolay Semov
Subject: Firewall Filter problem on Juniper SRX240H
There's also another possible workaround (I've used this to place system services on "custom" ports before said services supported changing the port number they listen on, though I don't how well it would work in JunOS 10):
- set up a loopback interface with some private IP
- put lookback interface in a new zone with ssh enabled (say, zone "local")
- disable ssh on the untrust zone
- add dnat rule from zone untrust, ip of vlan.2, port 22 (or whatever port you like) -> dnat pool with address of the loopback interface, port 22
- policy / policies from-zone untrust to-zone local to control who can and can't connect
- if vlan.2 is in a non-default routing instance, it will need the loopback interface route imported
------------------------------
Nikolay Semov
Original Message:
Sent: 08-17-2024 22:22
From: Nikolay Semov
Subject: Firewall Filter problem on Juniper SRX240H
Unfortunately, looks like junos-host was introduced in 11.4. Dug this up:
https://supportportal.juniper.net/s/article/SRX-How-to-log-the-host-inbound-traffic-in-syslog?language=en_US
What about using an ethernet-switching firewall filter applied on the two ports instead of inet filter on vlan.2? I think ethernet-switching filters may still be able match IP address and port number and do the job ...
------------------------------
Nikolay Semov
Original Message:
Sent: 08-16-2024 20:13
From: spuluka
Subject: Firewall Filter problem on Juniper SRX240H
Sounds like a bug with the virtual interface.
The security policy you note above does not apply. These only apply to traffic that both ingress and egress is via an SRX interface. The zone you use for a security policy where traffic terminates on the SRX is junos-host. So the policy that could replace the filter would be from untrust to junos-host.
But I'm not sure which Junos version introduced this option so it may not be as far back as junos 10
example
https://supportportal.juniper.net/s/article/SRX-Configuration-Example-How-to-limit-self-traffic-using-Security-Policies?language=en_US
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 08-16-2024 05:31
From: MARIO PAOLI
Subject: Firewall Filter problem on Juniper SRX240H
Hello I'm having a strange behaviour of firewall filter on a Juniper SRX 240H (JUNOS 10.0R3.10 built 2010-04-16)
show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis AG3710AA0039 SRX240-hm
Routing Engine REV 42 750-021793 AABY9904 RE-SRX240-HM
FPC 0 FPC
PIC 0 16x GE Base PIC
Power Supply 0
I know that the apparatus is very old and that the Junos version is very old as well.
Here the problem:
Since few days my company changed ISP. Now we have two link connecting the site configured by ISP operators with VRRP protocol:
SRX 240
ISP Router 1 \ ____________________________________
\ ____| ge-0/0/8 |
\ ___________________________/ | \ |
| ISP public network (VRRP)| | |-- vlan.2 logical int |
/|__________________________| | / |
/ \____| ge-0/0/9 |
ISP Router 2 / |___________________________________|
On SRX side I configured two physical interfaces (one for each link) with ethernet-swithing and I assigned l3 logical interface (vlan.2):
set interfaces interface-range wind member ge-0/0/8
set interfaces interface-range wind member ge-0/0/9
set interfaces interface-range wind unit 0 family ethernet-switching vlan members vlan-rete-wind
set interfaces vlan unit 2 description VLAN-RETE-WIND-id-20
set interfaces vlan unit 2 family inet address <public IP on ISP network>
set security zones security-zone untrust interfaces vlan.2
set vlans vlan-rete-wind vlan-id 20
set vlans vlan-rete-wind l3-interface vlan.2
In this way VRRP traffic flows without problem. Now, since the l3 logical interface has a public IP on the ISP network, I configured a firewall filter to limit SSH access to this interface. The problem is that this filter does not work as intended: the traffic from ANY public IP on the Internet pass through the the l3 logical interface without limitation. Here the filter:
set interfaces ge-0/0/5 unit 0 family inet filter input FWF-IN
set interfaces vlan unit 2 family inet filter input FWF-IN
set firewall filter FWF-IN term allow_ssh from address <My company public network>
set firewall filter FWF-IN term allow_ssh from protocol tcp
set firewall filter FWF-IN term allow_ssh from destination-port ssh
set firewall filter FWF-IN term allow_ssh then log
set firewall filter FWF-IN term allow_ssh then accept
set firewall filter FWF-IN term block_ssh from protocol tcp
set firewall filter FWF-IN term block_ssh from destination-port ssh
set firewall filter FWF-IN term block_ssh then log
set firewall filter FWF-IN term block_ssh then discard
set firewall filter FWF-IN term block_telnet from destination-port telnet
set firewall filter FWF-IN term block_telnet then discard
set firewall filter FWF-IN term default then accept
The same filter was applied to the old ISP interface, which was a physical interface (ge-0/0/5) since the old ISP served the site with just one link. In that case the filter worked like a charm:
SRX 240
____________
____________________ | |
Old ISP Router ---| ISP public network |-----| ge-0/0/5.0 |
|____________________| |____________|
Both l3 logical interface of the new ISP and physical interface of the old ISP are in the untrust zone:
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/5.0
set security zones security-zone untrust interfaces vlan.2
I tried the following solutions which do not worked:
(1)
Put the FWF on the loopback interface:
set interfaces lo0 unit 0 family inet filter input FWF-IN
(2)
Create a security policy from zone untrust to zone untrust:
set security zones security-zone untrust address-book address public-isp-network <ISP network>
set security policies from-zone untrust to-zone untrust policy allow_ssh_fub match source-address public-isp-network
set security policies from-zone untrust to-zone untrust policy allow_ssh_fub match destination-address any
set security policies from-zone untrust to-zone untrust policy allow_ssh_fub match application junos-ssh
set security policies from-zone untrust to-zone untrust policy allow_ssh_fub then permit
set security policies from-zone untrust to-zone untrust policy block_ssh match source-address any
set security policies from-zone untrust to-zone untrust policy block_ssh match destination-address any
set security policies from-zone untrust to-zone untrust policy block_ssh match application junos-ssh
set security policies from-zone untrust to-zone untrust policy block_ssh then deny
set security policies from-zone untrust to-zone untrust policy default match source-address any
set security policies from-zone untrust to-zone untrust policy default match destination-address any
set security policies from-zone untrust to-zone untrust policy default match application any
set security policies from-zone untrust to-zone untrust policy default then permit
set security policies from-zone untrust to-zone untrust policy allow_ssh_fub then log session-init
set security policies from-zone untrust to-zone untrust policy allow_ssh_fub then log session-close
set security policies from-zone untrust to-zone untrust policy block_ssh then log session-init
set security policies from-zone untrust to-zone untrust policy block_ssh then log session-close
(3)
Assign FWF to physical interfaces under vlan.2 and assign them to the untrusted zone:
set interfaces ge-0/0/8 unit 0 family ethernet-switching filter input FWF-IN
set security zones security-zone untrust interfaces ge-0/0/8.0
set interfaces ge-0/0/9 unit 0 family ethernet-switching filter input FWF-IN
set security zones security-zone untrust interfaces ge-0/0/9.0
set interfaces vlan unit 2 family inet filter input FWF-IN
I tried to run "show firewall log" but the output just showed that traffic from any public IP on the Internet to the new ISP interface vlan.2 was allowed. In reverse, traffic to old ISP interface ge-0/0/5.0 was denyied expect for configured network in the firewall filter.
The only solution which works is to delete host-inbound-traffic on the untrust zone for the ssh service:
set security zones security-zone untrust host-inbound-traffic system-services ssh
Of course this solution is not ideal since I can reach the router only from the trusted zone on its private IP.
Anyone expericed this problem? I found very strange that the firewall filter works on physical interface ge-0/0/5.0 and not on l3 logical interface vlan.2
Thank you in advace.
------------------------------
Mario Paoli
------------------------------