[j-nsp] juniper-nsp Digest, Vol 55, Issue 33
Metz, E.T. (Eduard)
Eduard.Metz at tno.nl
Thu Jun 28 09:31:13 EDT 2007
Your filter allows tcp traffic with either source or destination port
telnet (23). If you telnet to a webserver the source port (router point
of view) will be chosen dynamically (it is not 23!) and the destination
port is 80. Since neither source or destination port of the tcp
connection is equal to 23, the (return) traffic is dropped.
Expand your filter (suggestions in earlier mails) to allow return
traffic from tcp connections that originated from the router. See also
this http://www.cymru.com/gillsr/documents/junos-template.htm and this
http://juniper.cluepon.net/index.php/Secure_access for some directions
on hardening.
/Eduard
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Kanagaraj Krishna
> Sent: donderdag 28 juni 2007 12:46
> To: David Ball
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] juniper-nsp Digest, Vol 55, Issue 33
>
> Hi,
> Aren't the incoming filters used to filter access to
> certain services/port into the router? I'm curious on how an
> external response (from a telnet request) could be affected
> unless it tries to respond to port 80 of the initiator which
> in normal circumstances is not likely. Any comments?
>
> /Kana
> ----- Original Message -----
> From: David Ball
> To: Kanagaraj Krishna
> Cc: juniper-nsp at puck.nether.net
> Sent: Thursday, June 28, 2007 3:42 AM
> Subject: Re: [j-nsp] juniper-nsp Digest, Vol 55, Issue 33
>
>
> It very likely IS allowing OUTgoing telnet, even without the
> adjustment in your filter. The problem is, it's not allowing the
> response from the (assumed) web server in the INbound
> direction, hence
> your need for the allowance in your input filter.
>
> David
>
>
> On 6/27/07, Kanagaraj Krishna <kanagaraj at aims.com.my> wrote:
> > Hi,
> > I've applied an input filter (hardening) to protect
> the routing engine of
> > an m7i by applying it on the loopback IP. Refer to the
> config below. The
> > issue
> > is that, we can't telnet port:80 to any external IP from
> the box itself.
> > Obviously I've not allowed access to port 80 on my box in
> the input filter
> > but
> > why would it affect the outgoing telnet. I tried allowing
> port 80 access on
> > the input filter and after that the outgoing telnet
> works. Anyone facing the
> > same issue?
> >
> > Regards,
> > Kana
> >
> >
> > lo0 {
> > unit 0 {
> > family inet {
> > filter {
> > input protect-RE;
> > }
> > address xxx.xxx.xxx.xxx/32;
> > }
> > }
> > }
> >
> > firewall {
> > filter protect-RE {
> > ---config omitted----
> >
> > term telnet {
> > from {
> > protocol tcp;
> > port telnet;
> > }
> > then {
> > policer telnet-policer;
> > accept;
> > }
> > }
> >
> > ---config omitted----
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
This e-mail and its contents are subject to the DISCLAIMER at http://www.tno.nl/disclaimer/email.html
More information about the juniper-nsp
mailing list