Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Firewall issue

    Posted 11-18-2024 15:11
    Hello Community

    I have an issue with my firewall rules on my EX4600. I have a filter on
    an interface with an incoming term:
    from destination-address 1.2.3.0/24
    then accept.

    on the interface where 1.2.3.0/24 lives I have an outgoing filter with
    for example term:
    from destination-address 1.2.3.17/32
    from destination-port 22
    then discard

    so my goal is to block 1.2.3.17/32 port 22 in the outgoing filter
    because the term in the incoming filter is part of a filter set that is
    configured on multiple interfaces.

    Now the problem is that the discard rule is not working.

    Has some one know how the EX4600 handle the order of the rules? What i
    think is that the PFE hits the first accept rule and that the whole
    process of the outgoing filter is skipped?

    thanks,


  • 2.  RE: Firewall issue

    Posted 11-19-2024 02:23

    Please show  filters configuration and  interfaces configuration where you use the filters.



    ------------------------------
    IHOR SHTANKO
    ------------------------------



  • 3.  RE: Firewall issue

    Posted 11-19-2024 05:18

    Hi,

    The input filter is:

    set firewall family inet filter vlan-in-v4-default term icmp from protocol icmp
    set firewall family inet filter vlan-in-v4-default term icmp from icmp-type echo-request
    set firewall family inet filter vlan-in-v4-default term icmp from icmp-type echo-reply
    set firewall family inet filter vlan-in-v4-default term icmp then accept
    set firewall family inet filter vlan-in-v4-default term tcp-established from tcp-established
    set firewall family inet filter vlan-in-v4-default term tcp-established then accept
    set firewall family inet filter vlan-in-v4-default term dhcp from protocol udp
    set firewall family inet filter vlan-in-v4-default term dhcp from destination-port 67
    set firewall family inet filter vlan-in-v4-default term dhcp then accept
    set firewall family inet filter vlan-in-v4-default term dns from protocol udp
    set firewall family inet filter vlan-in-v4-default term dns from destination-port 53
    set firewall family inet filter vlan-in-v4-default term dns then accept
    set firewall family inet filter vlan-in-v4-default term allow-public-nets from destination-address 192.87.78.198/32
    set firewall family inet filter vlan-in-v4-default term allow-public-nets from destination-address 192.87.78.236/32
    set firewall family inet filter vlan-in-v4-default term allow-public-nets from source-prefix-list public-nets
    set firewall family inet filter vlan-in-v4-default term allow-public-nets from destination-port 80
    set firewall family inet filter vlan-in-v4-default term allow-public-nets from destination-port 443
    set firewall family inet filter vlan-in-v4-default term allow-public-nets then accept
    set firewall family inet filter vlan-in-v4-default term deny-public-nets from source-prefix-list public-nets
    set firewall family inet filter vlan-in-v4-default term deny-public-nets from destination-prefix-list zbnets-ipv4
    set firewall family inet filter vlan-in-v4-default term deny-public-nets then syslog
    set firewall family inet filter vlan-in-v4-default term deny-public-nets then discard
    set firewall family inet filter vlan-in-v4-default term allow-dmz from destination-address 192.87.78.192/26
    set firewall family inet filter vlan-in-v4-default term allow-dmz then accept
    set firewall family inet filter vlan-in-v4-default term allow-server-vlan from destination-address 145.116.199.0/24
    set firewall family inet filter vlan-in-v4-default term allow-server-vlan then accept
    set firewall family inet filter vlan-in-v4-default term printers from destination-address 192.168.70.0/24
    set firewall family inet filter vlan-in-v4-default term printers then accept
    set firewall family inet filter vlan-in-v4-default term printer-src from source-address 192.168.70.0/24
    set firewall family inet filter vlan-in-v4-default term printer-src from source-address 192.168.2.224/32
    set firewall family inet filter vlan-in-v4-default term printer-src from source-port 161
    set firewall family inet filter vlan-in-v4-default term printer-src from source-port 9100
    set firewall family inet filter vlan-in-v4-default term printer-src from source-port 3702
    set firewall family inet filter vlan-in-v4-default term printer-src then accept
    set firewall family inet filter vlan-in-v4-default term ip-cam from source-address 145.116.205.0/24
    set firewall family inet filter vlan-in-v4-default term ip-cam from source-address 145.116.197.0/24
    set firewall family inet filter vlan-in-v4-default term ip-cam from source-address 145.116.194.0/24
    set firewall family inet filter vlan-in-v4-default term ip-cam from destination-address 192.87.78.0/26
    set firewall family inet filter vlan-in-v4-default term ip-cam from destination-address 145.116.202.0/24
    set firewall family inet filter vlan-in-v4-default term ip-cam then accept
    set firewall family inet filter vlan-in-v4-default term pcoip-mgmt from destination-address 192.168.250.197/32
    set firewall family inet filter vlan-in-v4-default term pcoip-mgmt from protocol tcp
    set firewall family inet filter vlan-in-v4-default term pcoip-mgmt from destination-port 5172
    set firewall family inet filter vlan-in-v4-default term pcoip-mgmt then accept
    set firewall family inet filter vlan-in-v4-default term print2server from source-address 192.168.70.0/24
    set firewall family inet filter vlan-in-v4-default term print2server from destination-address 145.116.199.94/32
    set firewall family inet filter vlan-in-v4-default term print2server from destination-address 145.116.199.78/32
    set firewall family inet filter vlan-in-v4-default term print2server then accept
    set firewall family inet filter vlan-in-v4-default term voice from destination-address 172.25.120.0/24
    set firewall family inet filter vlan-in-v4-default term voice then accept
    set firewall family inet filter vlan-in-v4-default term mDNS from destination-address 224.0.0.251/32
    set firewall family inet filter vlan-in-v4-default term mDNS from destination-address 224.0.0.252/32
    set firewall family inet filter vlan-in-v4-default term mDNS from protocol udp
    set firewall family inet filter vlan-in-v4-default term mDNS then accept
    set firewall family inet filter vlan-in-v4-default term EKZ-pin from source-address 145.98.25.0/27
    set firewall family inet filter vlan-in-v4-default term EKZ-pin from source-address 192.168.47.0/24
    set firewall family inet filter vlan-in-v4-default term EKZ-pin from source-address 145.116.205.0/24
    set firewall family inet filter vlan-in-v4-default term EKZ-pin from destination-address 145.116.202.0/24
    set firewall family inet filter vlan-in-v4-default term EKZ-pin then accept
    set firewall family inet filter vlan-in-v4-default term pin-ip from destination-address 145.98.25.0/27
    set firewall family inet filter vlan-in-v4-default term pin-ip from destination-address 192.168.47.0/24
    set firewall family inet filter vlan-in-v4-default term pin-ip then accept
    set firewall family inet filter vlan-in-v4-default term priva from source-address 192.168.45.0/24
    set firewall family inet filter vlan-in-v4-default term priva from protocol udp
    set firewall family inet filter vlan-in-v4-default term priva from source-port 15000
    set firewall family inet filter vlan-in-v4-default term priva then accept
    set firewall family inet filter vlan-in-v4-default term pers2priva from source-address 145.116.197.0/24
    set firewall family inet filter vlan-in-v4-default term pers2priva from source-address 145.116.205.0/24
    set firewall family inet filter vlan-in-v4-default term pers2priva from destination-address 192.168.45.0/24
    set firewall family inet filter vlan-in-v4-default term pers2priva then accept
    set firewall family inet filter vlan-in-v4-default term gre from protocol gre
    set firewall family inet filter vlan-in-v4-default term gre then accept
    set firewall family inet filter vlan-in-v4-default term vnc from source-address 145.116.205.0/24
    set firewall family inet filter vlan-in-v4-default term vnc from destination-port 5900
    set firewall family inet filter vlan-in-v4-default term vnc then accept
    set firewall family inet filter vlan-in-v4-default term udp-stream from protocol udp
    set firewall family inet filter vlan-in-v4-default term udp-stream from destination-port 8080
    set firewall family inet filter vlan-in-v4-default term udp-stream then accept
    set firewall family inet filter vlan-in-v4-default term deny-zb-nets from destination-prefix-list zbnets-ipv4
    set firewall family inet filter vlan-in-v4-default term deny-zb-nets then log
    set firewall family inet filter vlan-in-v4-default term deny-zb-nets then syslog
    set firewall family inet filter vlan-in-v4-default term deny-zb-nets then discard
    set firewall family inet filter vlan-in-v4-default term allow-all then accept

    the output filter is:

    set firewall family inet filter vlan7-v4-out term icmp from protocol icmp
    set firewall family inet filter vlan7-v4-out term icmp then accept
    set firewall family inet filter vlan7-v4-out term tcp-established from tcp-established
    set firewall family inet filter vlan7-v4-out term tcp-established then accept
    set firewall family inet filter vlan7-v4-out term ntp from destination-address 192.87.78.208/32
    set firewall family inet filter vlan7-v4-out term ntp from destination-address 192.87.78.209/32
    set firewall family inet filter vlan7-v4-out term ntp from protocol udp
    set firewall family inet filter vlan7-v4-out term ntp from destination-port 123
    set firewall family inet filter vlan7-v4-out term ntp then accept
    set firewall family inet filter vlan7-v4-out term sftp from source-address 145.116.197.0/24
    set firewall family inet filter vlan7-v4-out term sftp from source-address 145.116.203.128/25
    set firewall family inet filter vlan7-v4-out term sftp from source-address 145.116.205.0/24
    set firewall family inet filter vlan7-v4-out term sftp from destination-address 192.87.78.195/32
    set firewall family inet filter vlan7-v4-out term sftp from destination-port 22
    set firewall family inet filter vlan7-v4-out term sftp then accept
    set firewall family inet filter vlan7-v4-out term squid-proxy from destination-address 192.87.78.211/32
    set firewall family inet filter vlan7-v4-out term squid-proxy from protocol tcp
    set firewall family inet filter vlan7-v4-out term squid-proxy from destination-port 3128
    set firewall family inet filter vlan7-v4-out term squid-proxy from destination-port 8000
    set firewall family inet filter vlan7-v4-out term squid-proxy then accept
    set firewall family inet filter vlan7-v4-out term http from destination-address 192.87.78.192/26
    set firewall family inet filter vlan7-v4-out term http from protocol tcp
    set firewall family inet filter vlan7-v4-out term http from destination-port 80
    set firewall family inet filter vlan7-v4-out term http from destination-port 443
    set firewall family inet filter vlan7-v4-out term http then accept
    set firewall family inet filter vlan7-v4-out term dns from destination-port 53
    set firewall family inet filter vlan7-v4-out term dns then accept
    set firewall family inet filter vlan7-v4-out term dns-src from source-port 53
    set firewall family inet filter vlan7-v4-out term dns-src then accept
    set firewall family inet filter vlan7-v4-out term vmware-view from destination-address 192.87.78.206/32
    set firewall family inet filter vlan7-v4-out term vmware-view from destination-address 192.87.78.239/32
    set firewall family inet filter vlan7-v4-out term vmware-view from destination-address 192.87.78.240/32
    set firewall family inet filter vlan7-v4-out term vmware-view then accept
    set firewall family inet filter vlan7-v4-out term ftp from source-address 145.116.197.0/24
    set firewall family inet filter vlan7-v4-out term ftp from source-address 145.116.203.128/25
    set firewall family inet filter vlan7-v4-out term ftp from source-address 145.116.205.0/24
    set firewall family inet filter vlan7-v4-out term ftp from destination-address 192.87.78.192/26
    set firewall family inet filter vlan7-v4-out term ftp from destination-port 20
    set firewall family inet filter vlan7-v4-out term ftp from destination-port 21
    set firewall family inet filter vlan7-v4-out term ftp then accept
    set firewall family inet filter vlan7-v4-out term APP from destination-address 192.87.78.198/32
    set firewall family inet filter vlan7-v4-out term APP then accept
    set firewall family inet filter vlan7-v4-out term allow-nets from source-address 145.116.200.0/24
    set firewall family inet filter vlan7-v4-out term allow-nets from source-address 192.87.78.192/26
    set firewall family inet filter vlan7-v4-out term allow-nets from source-address 192.168.80.0/24
    set firewall family inet filter vlan7-v4-out term allow-nets from source-address 10.10.0.0/24
    set firewall family inet filter vlan7-v4-out term allow-nets from source-address 145.116.199.0/24
    set firewall family inet filter vlan7-v4-out term allow-nets then accept
    set firewall family inet filter vlan7-v4-out term radius from destination-address 192.87.78.213/32
    set firewall family inet filter vlan7-v4-out term radius from destination-address 192.87.78.216/32
    set firewall family inet filter vlan7-v4-out term radius from protocol udp
    set firewall family inet filter vlan7-v4-out term radius from destination-port 1812
    set firewall family inet filter vlan7-v4-out term radius from destination-port 1813
    set firewall family inet filter vlan7-v4-out term radius then accept
    set firewall family inet filter vlan7-v4-out term gre from protocol gre
    set firewall family inet filter vlan7-v4-out term gre then accept
    set firewall family inet filter vlan7-v4-out term ssh from source-address 145.116.199.65/32
    set firewall family inet filter vlan7-v4-out term ssh from destination-port 22
    set firewall family inet filter vlan7-v4-out term ssh then accept
    set firewall family inet filter vlan7-v4-out term snmp from source-address 145.116.199.0/24
    set firewall family inet filter vlan7-v4-out term snmp from source-address 192.87.87.22/32
    set firewall family inet filter vlan7-v4-out term snmp from protocol udp
    set firewall family inet filter vlan7-v4-out term snmp from destination-port snmp
    set firewall family inet filter vlan7-v4-out term snmp from destination-port snmptrap
    set firewall family inet filter vlan7-v4-out term snmp then accept
    set firewall family inet filter vlan7-v4-out term Wireguard from destination-address 192.87.78.197/32
    set firewall family inet filter vlan7-v4-out term Wireguard from protocol udp
    set firewall family inet filter vlan7-v4-out term Wireguard from destination-port 51234
    set firewall family inet filter vlan7-v4-out term Wireguard then accept
    set firewall family inet filter vlan7-v4-out term deny-zbnets from source-prefix-list zbnets-ipv4
    set firewall family inet filter vlan7-v4-out term deny-zbnets then discard
    set firewall family inet filter vlan7-v4-out term allow-from-firewall then accept

    client vlan:

    set interfaces irb unit 222 description ZVL-Internet
    set interfaces irb unit 222 family inet filter input vlan-in-v4-default
    set interfaces irb unit 222 family inet address 145.116.195.254/24

    server vlan:

    set interfaces irb unit 7 description DMZ
    set interfaces irb unit 7 family inet filter output vlan7-v4-out
    set interfaces irb unit 7 family inet address 192.87.78.254/26

    destination-prefix-list zbnets-ipv4 ( in this prefix list is 145.116.195.0/24 listed)

    So in this case ip 145.116.195.1 can ssh to 192.87.78.240 and i don't know why?




  • 4.  RE: Firewall issue

    Posted 11-19-2024 08:00

    Nevermind. It is working wel. i missed somesthing.

    closed this case