I'm trying to figure out why my SRX3600 is letting traffic pass by the stateless filters. I've got one filter configured on my interface that's connected to the 'untrust' zone (in my case, the 'out-inet' zone):
ge-0/0/11 {
description r1:ge-0/1/2;
enable;
vlan-tagging;
unit 1 {
vlan-id 1;
family inet {
mtu 1500;
filter {
input block-common;
}
address x.x.x.10/30;
}
}
}
It's a simple filter:
filter block-common {
term 0-allow_local {
from {
source-prefix-list {
ACCESS-common-subnets;
}
}
then accept;
}
term 10-block_common {
from {
protocol udp;
destination-port [ 135 137 138 139 445 4444 1433-1434 ];
}
then {
count common-ports;
discard;
}
}
term 20-block_tcp {
from {
protocol tcp;
}
then {
count tcp-attempts;
discard;
}
}
term 1000-implicit_allow {
then accept;
}
}
One of the results of the filter above is that it's supposed to block all TCP traffic, except for that which is coming from IPs configured in my 'ACCESS-common-subnets' prefix-list. The problem is, I'm still seeing TCP traffic hitting the 'screen' I've configured:
1 2012-08-09T13:54:45.745 fw1 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.34 attack-name="Port scan!" source-address="x.x.x.54" source-port="40829" destination-address="x.x.x.1" destination-port="22" source-zone-name="out-inet" interface-name="ge-0/0/11.1" action="drop"]
I've verified that the IP address is not listed in the prefix-list that has access to bypass this filter. It's my understanding that the stateless filters are #3 in line for processing, which occurs before passing the packet on to the screen process. Is there something I'm missing?
SRX details: 3600 in a cluster, running 11.2R7.4.