[j-nsp] firewall filter misses connected interface addresses

Mike mike+lists at yourtownonline.com
Mon Dec 9 10:42:02 EST 2019


Hello,

I have a problem getting junos to filter out admin access to my router
from unauthorized addresses.

I have some addresses bound to lo0.0 which I am advertising internally
in my igp, and which are the 'official' addresses used for SNMP, SSH and
BGP to the router.

I have firewall filters also that limit access to these protocols using
prefix lists and such, and these filters are applied to lo0.0. The
filters work and I can observe log messages for invalid accesses to the
protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access
to other ip addresses bound on the router, such as ethernet interface
addresses, are still being allowed. I thought, according to various
junos docs, that applying a filter to lo0.0 filters out packets destined
locally to the box regardless of actual interface. Could use some help.


Here is the filter for ssh/telnet/snmp:

term allowed-login {
    from {
        prefix-list {
           admin-hosts;
        }
        protocol tcp;
        destination-port [ ssh telnet ];
    }
    then accept;
}
term no-other-logins {
    from {
        protocol tcp;
        destination-port [ ssh telnet ];
    }
    then {
        count bad-admin-access;

        log;

        discard;
    }
}
term allowed-snmp {
    from {
        prefix-list {
            network-mgmt-stations;
        }
        protocol udp;
        destination-port snmp;
    }
    then accept;
}
term no-more-snmp {
    from {
        protocol udp;
        destination-port snmp;
    }
    then {
        count bad-snmp-access;
        log;
        syslog;
        discard;
    }
}

term allow-peers {
    from {
        source-prefix-list {
            bgp-peers;
        }
        protocol tcp;
        destination-port bgp;
    }
    then accept;
}
term no-other-peers {
    from {
        protocol tcp;
        destination-port bgp;
    }
    then {
        count bad-bgp-connect;
        discard;
    }
}

here is the config for lo0.0:

family inet {
    filter {
        input-list [ limit-admin limit-bgp ALLOW ];
    }
    address blah1/32;
    address blah2/32;
    address blah3/32 {
        primary;
        preferred;
    }
}



Thank you.





More information about the juniper-nsp mailing list