Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.

  • 1.  Firewall rule for ICMP and SSH - DDoS Attack

    Posted 03-25-2024 08:53

    Hi,

    We have a qfx that we have protected with firewall rules and then applied to the interface. Here is the ICMP/SSH Policy:

    set policy-options prefix-list mgmt-icmp-ip-filter xxx.xxx.xxx.xxx  -   Please note we have about 20 lines that cover all of our itnernal networks under this prefix-list.

    set firewall family inet filter icmp-test term allow_icmp from source-prefix-list mgmt-icmp-ip-filter
    set firewall family inet filter re-secure term allow_icmp from protocol icmp
    set firewall family inet filter icmp-test term allow_icmp from icmp-type echo-request
    set firewall family inet filter icmp-test term allow_icmp from icmp-type echo-reply
    set firewall family inet filter icmp-test term allow_icmp from icmp-type unreachable
    set firewall family inet filter icmp-test term allow_icmp from icmp-type time-exceeded
    set firewall family inet filter icmp-test term allow_icmp from icmp-type source-quench
    set firewall family inet filter icmp-test term allow_icmp then accept
    set firewall family inet filter icmp-test term deny_icmp from protocol icmp
    set firewall family inet filter icmp-test term deny_icmp then discard

    set interfaces xe-0/0/10 unit 0 family inet filter input-list icmp-list

     set firewall family inet filter re-secure term allow_ssh from source-prefix-list mgmt-ssh-ip-filter
    set firewall family inet filter re-secure term allow_ssh from protocol tcp
    set firewall family inet filter re-secure term allow_ssh from destination-port ssh
    set firewall family inet filter re-secure term allow_ssh then accept
    set firewall family inet filter re-secure term deny_ssh from protocol tcp
    set firewall family inet filter re-secure term deny_ssh from destination-port ssh
    set firewall family inet filter re-secure term deny_ssh then discard

    set interfaces xe-0/0/10 unit 0 family inet filter input-list re-secure

    But we are still getting a lot of hists to the routing-engine when I complete:

    monitor traffic interface xe-0/0/10 size 1500 no-resolve

    Do the filters look good and why would I still be getting this amount of traffic hitting the qfx when none should be for ICMP and SSH except from the prefix-list addresses?

    Many thanks



    ------------------------------
    Clive Gwyther
    ------------------------------


  • 2.  RE: Firewall rule for ICMP and SSH - DDoS Attack

    Posted 03-25-2024 10:56

    Hi Clive,

    To protect the RE, the firewall filter should be configured on lo0 instead of a physical interface.
    Please attempt to remove it from the physical interface and add it to lo0.
    If the issue persists, a deeper investigation is required.


    ------------------------------
    Kalle Andersson
    ------------------------------

    Original Message


  • 3.  RE: Firewall rule for ICMP and SSH - DDoS Attack

    Posted 03-26-2024 03:32

    I also advise you to be familiar with the Day One book.

    https://www.juniper.net/documentation/jnbooks/us/en/day-one-books
    "Securing the Routing Engine on M, MX, and T Series

    Apply the powerful policy tools of Junos essential to protecting your device and your whole network with expert, step-by-step techniques."



    ------------------------------
    WBW,
    Dmitriy
    ------------------------------

    Original Message