[j-nsp] Quick SRX host-inbound Question

Michael Gehrmann mgehrmann at atlassian.com
Tue Nov 17 17:03:46 EST 2015 

You might have better luck with the junos-host zone.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227&actp=search

On 18 November 2015 at 05:13, Hugo Slabbert <hugo at slabnet.com> wrote:

>
> On Tue 2015-Nov-17 17:52:11 +0000, Wayne Lee via juniper-nsp <
> juniper-nsp at puck.nether.net> wrote:
>
> I thought you could create your own "service" and apply ports to that
>>> specifically
>>>
>>> I'm running into an issue where I don't want to allow-all on the
>>> host-inbound but I do need a fair amount of unlisted ports to still
>>> maintain access.
>>>
>>> Does anyone remember if this is possible.  Still sorting through
>>> documentation to validate my memory.
>>>
>>> Thank you,
>>>
>>>
>>> Yes you can configure a custom application and application-set with your
>>>
>> port ranges and apply that to a policy.
>>
>
> That's for security policy, not host-inbound-traffic.  For
> host-inbound-traffic, you are limited to the pre-configured system-services
> and protocols made available by JunOS:
>
>
> http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/specifications/zone-host-inbound-traffic-system-service-supported.html
>
> If you want to allow something to the RE that's not listed in there, you'd
> have to allow all and then filter it down with a stateless filter on the
> loopback in the relevant routing-instance to control traffic to the RE, as
> per
> http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-stateless-basic-uses-for.html#jd0e63
>
> But: host-inbound-traffic is for traffic destined for the RE, meaning
> services or protocols running on the RE.  What unlisted ports are you
> talking about that are for services/protocols running on the RE but which
> are not available under host-inbound-traffic under either system-services
> or protocols?
>
> If you're talking about traffic transiting the SRX, then yes: custom
> application and/or application-set definitions + security policies would be
> your weapon of choice.  Note that you can be exposing absolutely *zero*
> services or protocols under host-inbound-traffic while still allowing
> through anything else you want in terms of transit traffic via security
> policies.
>
>
>> Regards
>>
>>
>> Wayne
>>
>
> --
> Hugo
>
> hugo at slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
>
> (also on Signal)
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658

More information about the juniper-nsp mailing list