[j-nsp] Issues with 7.2R1.7 and Firewall Filters
juniper at arnes.si
juniper at arnes.si
Mon Sep 19 02:20:09 EDT 2005
Hi, Laura!
This behavior is normal. We've run into something similar years ago when we
were using IP-in-IP tunnels for IPv6 traffic. Then, I was explaining that
behavior to myself in the following way:
+<-tun
| +-^-------+
v | |
filter| |
ext<---<out-| Juniper |-in<---<int
| router |
+---------+
When a packet passes a router on its way from "int" to "ext" and it is being
forwarded via the tunnel interface (named "tun" on the picture above), it hits
first into inbound and then into outbound filter on interface "ext" (of
course, the packet is encapsulated on this interface -- source IP address is
the source of the tunnel on your side). If you have some anti-spoofing filters
in place inbound on interface "ext", and these filters are set to block
incoming traffic coming from your source address space, you will find the
_outgoing_ traffic via the the tunnel being dropped in the _inbound_ filter on
a physical interface. These behavior is rather weird, but if one looks at it
in such a way as explained, it might sound reasonable ;-)).
Hope this helps,
Matjaz
In-reply-to: Your message dated: Tue, 13 Sep 2005 17:39:01 BST
> I have applied the firewall to the physical interface
> fe-1/3/0 {
> unit 0 {
> description External_interface;
> family inet {
> filter {
> input Traffic_Control_IN;
> output Traffic_Control_OUT;
> }
> address x/30;
>
> When I look at the firewall logs I see traffic originating from a source
> address of the M7 which is expected but I also see requests from the source
> address of router at the other end of the tunnel for GRE traffic on the pfe,
> should this be happening?
>
> Ie
> Filter Action Interface Protocol Src Addr
> Dest Addr
> pfe A fe-1/3/1.0 GRE x y
> pfe A fe-1/3/1.0 GRE y x
>
> Thanks,
> Laura
>
> -----Original Message-----
> From: Rafal Szarecki (WA/EPO) [mailto:rafal.szarecki at ericsson.com]
> Sent: 13 September 2005 17:23
> To: Laura McDonnell; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Issues with 7.2R1.7 and Firewall Filters
>
> I do not see when firewall is applied....
> on gre-1/2/0.0 or on other interface ?
>
>
>
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of
> > Laura McDonnell
> > Sent: Tuesday, September 13, 2005 11:46 AM
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] Issues with 7.2R1.7 and Firewall Filters
> >
> >
> > I am currently setting up the configuration for a M7i router
> > and have come
> > across some difficulty with the firewall filters for GRE.
> > I have configured them similar to cisco but when I look at
> > the firewall logs
> > I am seeing hits against the inbound filter but none against
> > the outbound
> > filter. When I remove the inbound filter all works fine. I
> > am slightly
> > confused at the configuration I should be using currently I have the
> > following setup.
> >
> > Inbound
> > term GRE {
> > from {
> > source-address {
> > y/32;
> > }
> > destination-address {
> > x/32;
> > }
> > protocol gre;
> > }
> > then {
> > count GRE;
> > log;
> > accept;
> >
> > Outbound
> > term GRE {
> > from {
> > source-address {
> > x/32;
> > }
> > destination-address {
> > y/32;
> > }
> > protocol gre;
> > }
> > then {
> > count GRE;
> > log;
> > accept;
> > }
> >
> > interfaces {
> > gr-1/2/0 {
> > unit 0 {
> > description Tunnel;
> > tunnel {
> > source x;
> > destination y;
> > }
> > family inet;
> > }
> >
> > Can somebody please confirm my configs are correct and
> > explain why I am not
> > able to run the tunnel when I have this configured.
> >
>
--
Matjaz Straus, ARNES matjaz.straus at arnes.si
Jamova 39, p.p.7, SI-1001 Ljubljana, Slovenija
tel:+386 1 479-88-00 fax:+386 1 479-88-99
http://www.arnes.si/
PGP public key at: http://www.arnes.si/~matjaz/
------------------------------------------------------------------------------
More information about the juniper-nsp
mailing list