Soooo, it was something incredibly simple.
Original Message:
Sent: 11-04-2024 17:52
From: Nikolay Semov
Subject: Restricting Ping
Run show security flow status. Towards the top, it will say whether the firewall is processing stuff in flow mode (the default) or packet mode.
In packet mode, you'd be correct that a blanket "then accept" allows traffic through.
However, in flow mode, after the firewall filter with a "then accept" term allow the traffic, processing of the traffic gets handed off to the flow module. See the processing diagram here: https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html#id-understanding-traffic-processing-on-security-devices
The per-packet filter is only the second step in the beginning. You'll still have screening, sessions, policies, etc. apply to that traffic, so it won't be a free-for-all open door into your network (unless, of course, your policies say so on purpose).
------------------------------
Nikolay Semov
Original Message:
Sent: 11-04-2024 17:42
From: NICHOLAS MARSZALKOWSKI
Subject: Restricting Ping
I appreciate the help.
"I.e. you're trying to prevent non-authorized devices from pinging your SRX." This statement is accurate.
"On a separate note, you should include a third term stating what should happen to all other traffic" Do you have any suggestions? My biggest concern is that if i put a blanket "then accept" it'll essentially allow all traffic from the internet through my firewall interface.
------------------------------
NICHOLAS MARSZALKOWSKI
Original Message:
Sent: 11-04-2024 16:31
From: Nikolay Semov
Subject: Restricting Ping
I don't think that's a safe guess. I don't believe stateless firewall filters are influenced by established sessions.
As for your original question, I really don't know why exactly Mist is complaining. It's possible that the actual name you're using contains some pattern of characters that's been programmed in Mist to be disallowed.
Also, now that I read your first post again, let's be pedantic for fun. You say "I'm still able to get ping replies even from a non-authorized sources." The firewall filter is written to block ping requests from non-authorized sources. I.e. you're trying to prevent non-authorized devices from pinging your SRX. If, on the other hand, you want to prevent the SRX from pinging non-authorized devices, then you have to change the filter terms accordingly. But you called them sources, so I'm guessing that indeed you wanted to block requests from them and not replies from them.
In other words, I'm out of ideas.
------------------------------
Nikolay Semov
Original Message:
Sent: 11-04-2024 13:08
From: NICHOLAS MARSZALKOWSKI
Subject: Restricting Ping
That was simply a mistake in my transposing it for this message. Good catch! In my configuration the last line is:
set interface ge-0/0/1 unit 0 family inet filter input icmprestrict
I left the firewall filter without a next term thinking that i want it to be discarding any inbound traffic anyway. I'm guessing since this is being used on a stateful firewall that internally initiated outbound sessions should be exempt from that explicit deny/discard
------------------------------
NICHOLAS MARSZALKOWSKI
Original Message:
Sent: 11-02-2024 13:29
From: Nikolay Semov
Subject: Restricting Ping
This may be just an artefact of the name substitution, but just in case, the interface line should include icmprestrict, not example.
On a separate note, you should include a third term stating what should happen to all other traffic. Otherwise, headache. (I'm pretty sure the default action is discard.)
------------------------------
Nikolay Semov
Original Message:
Sent: 11-01-2024 15:17
From: NICHOLAS MARSZALKOWSKI
Subject: Restricting Ping
Gooooood Afternoon.
We're currently looking to restrict ping replies to only authorized IPs (our HQ and monitoring services) so that the firewall will not reply to ICMP echo requests from any other sources. I've applied the following config as a candidate config, and the commit check shows it's good. However, when applying in Juniper Mist, it gives me a syntax error for the interface line. The config seems to be applied, however, I'm still able to get ping replies even from a non-authorized sources. I'm certain I'm missing something and was hoping someone could point out where I went wrong. IPs and names changed for anonymity
set policy-options prefix-list example 22.142.71.128/29
set policy-options prefix-list example 54.44.122.132/32
set policy-options prefix-list example 102.29.71.32/28
set firewall family inet filter icmprestrict term 1 from prefix-list example
set firewall family inet filter icmprestrict term 1 from protocol icmp
set firewall family inet filter icmprestrict term 1 from icmp-type echo-request
set firewall family inet filter icmprestrict term 1 then accept
set firewall family inet filter icmprestrict term 2 from protocol icmp
set firewall family inet filter icmprestrict term 2 from icmp-type echo-request
set firewall family inet filter icmprestrict term 2 then discard
set interface ge-0/0/1 unit 0 family inet filter input exampl
------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------