[j-nsp] Stupid ACL Q & JUNOS 8.0 Q

Paul Goyette pgoyette at juniper.net
Mon Sep 4 17:16:39 EDT 2006


Regarding the example...

Please be sure to include a "from protocol tcp" or 
"from protocol udp" in terms which filter based on 
port numbers.  The firewall filters are not context 
sensitive, and the protocol is not inferred!  If
you omit the protocol, you could block other useful
stuff, like icmp echo packets with certain sequence
numbers!

The same goes for filters that attempt to block
certain icmp-code or icmp-type, as well as filters
that check on tcp-established, tcp-initial, and
tcp-flags!

Also, if you allow fragmented packets (at the IPv4
layer) in your network, make sure you only block
ports/flags/icmp-stuff on fragment-offset = 0 !!!

Follow these guidelines and you will save yourself
a lot of grief, as well as save me several support 
case phone calls!

BTW, you can use a "commit script" to check your
firewall filters if you're running a sufficiently
recent version of JUNOS!  I think we started them
in 7.2, but it could have been earlier.  There'll
be an example posted on our Knowledge Base soon
(for registered customers only).

Paul Goyette
Juniper Networks Customer Service
JTAC Escalation Engineer and
Security Incident Response Team 
PGP Key ID 0x53BA7731 Fingerprint:
  FA29 0E3B 35AF E8AE 6651
  0786 F758 55DE 53BA 7731 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Erdem Sener
> Sent: Monday, September 04, 2006 2:05 PM
> To: Jason J. W. Williams
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Stupid ACL Q & JUNOS 8.0 Q
> Importance: High
> 
> Hello,
> 
>  Please see in-line:
> 
> 
> 
> On 9/4/06, Jason J. W. Williams <jasonjwwilliams at gmail.com> wrote:
> > Hi,
> >
> > I've been searching for an answer to this and I'm a bit 
> befuddled. At
> > the moment I'm trying to configure an ACL to prevent SSH 
> attempts from
> > outside. It appears I need to do so by configuring a filter 
> under the
> > "firewall" configuration area and then apply it to the "input" or
> > "output" on "unit 0 family inet" for the interface connected to the
> > outside.
> 
> If you want to prevent these attempts to the router, you could simply
> define a filter under [edit firewall family inet] section and apply as
> an input filter to your loopback interface.
> 
> Filters applied on the input of the loopback are effective box-wise,
> regardless of the interface they're coming from.
> 
> You should be very careful doing this though, since you'll probably
> want to allow other stuff (like network operators for ssh access for
> example) and will definetely want to allow protocol-based traffic such
> as ospf/bgp/ldp/rsvp etc.
> 
> My question is am I correct, or do I have to have the
> > stateful firewall license key since the filter is defined under
> > "firewall"? Thanks in advance for the newbie Q.
> 
> You don't need any licence for a standard firewall filter.
> 
> Here's a brief firewall filter example, covering the basics and might
> give you an idea of starting:
> 
> HTH
> 
> family inet {
>         filter Filter-For-The-Box-Itself {
>             term Management-Any {
>                 from {
>                     source-address {
>                         192.168.0.0/24;
>                     }
>                 }
>                 then accept;
>             }
>             term Management-TelnetOnly {
>                 from {
>                     source-address {
>                         172.16.5.0/28;
>                     }
>                     destination-port telnet;
>                 }
>                 then accept;
>             }
>             term Management-SshOnly {
>                 from {
>                     source-address {
>                         192.168.4.2/32;
>                         192.168.4.3/32;
>                     }
>                     protocol tcp;
>                     port ssh;
>                 }
>                 then accept;
>             }
>             term Established-Connections {
>                 from {
>                     tcp-established;
>                 }
>                 then accept;
>             }
>             term Dns-Queries {
>                 from {
>                     source-port domain;
>                 }
>                 then accept;
>             }
>             term Protocol-Ospf {
>                 from {
>                     protocol ospf;
>                 }
>                 then accept;
>             }
>             term Protocol-Bgp {
>                 from {
>                     destination-port bgp;
>                 }
>                 then accept;
>             }
>             term Protocol-ICMP {
>                 from {
>                     protocol icmp;
>                 }
>                 then accept;
>             }
>             term Management-Snmp {
>                 from {
>                     source-address {
>                         192.168.6.1/32;
>                         192.168.6.10/32;
>                         192.168.6.21/32;
>                     }
>                     destination-port snmp;
>                 }
>                 then accept;
>             }
>             term Protocol-Rsvp {
>                 from {
>                     protocol rsvp;
>                 }
>                 then accept;
>             }
>             term Protocol-Ldp {
>                 from {
>                     protocol [ tcp udp ];
>                     port ldp;
>                 }
>                 then accept;
>             }
>             term Ntp-Queries {
>                 from {
>                     destination-port ntp;
>                 }
>                 then accept;
>             }
>             term All-The-Rest {
>                 then {
>                     discard;
>                 }
>             }
>         }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list