[j-nsp] Quick SRX host-inbound Question
Hugo Slabbert
hugo at slabnet.com
Tue Nov 17 13:13:56 EST 2015
On Tue 2015-Nov-17 17:52:11 +0000, Wayne Lee via juniper-nsp <juniper-nsp at puck.nether.net> wrote:
>> I thought you could create your own "service" and apply ports to that
>> specifically
>>
>> I'm running into an issue where I don't want to allow-all on the
>> host-inbound but I do need a fair amount of unlisted ports to still
>> maintain access.
>>
>> Does anyone remember if this is possible. Still sorting through
>> documentation to validate my memory.
>>
>> Thank you,
>>
>>
>> Yes you can configure a custom application and application-set with your
>port ranges and apply that to a policy.
That's for security policy, not host-inbound-traffic. For
host-inbound-traffic, you are limited to the pre-configured system-services
and protocols made available by JunOS:
http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/specifications/zone-host-inbound-traffic-system-service-supported.html
If you want to allow something to the RE that's not listed in there, you'd
have to allow all and then filter it down with a stateless filter on the
loopback in the relevant routing-instance to control traffic to the RE, as
per
http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-stateless-basic-uses-for.html#jd0e63
But: host-inbound-traffic is for traffic destined for the RE, meaning
services or protocols running on the RE. What unlisted ports are you
talking about that are for services/protocols running on the RE but which
are not available under host-inbound-traffic under either system-services
or protocols?
If you're talking about traffic transiting the SRX, then yes: custom
application and/or application-set definitions + security policies would be
your weapon of choice. Note that you can be exposing absolutely *zero*
services or protocols under host-inbound-traffic while still allowing
through anything else you want in terms of transit traffic via security
policies.
>
>Regards
>
>
>Wayne
--
Hugo
hugo at slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
(also on Signal)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20151117/bf1d3470/attachment.sig>
More information about the juniper-nsp
mailing list