[j-nsp] [EXT] firewall filter misses connected interface addresses

Mon Dec 9 10:46:38 EST 2019

What hardware and software version?  There were some bugs/limitations with certain combinations.

On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> Hello,
> 
> I have a problem getting junos to filter out admin access to my router
> from unauthorized addresses.
> 
> I have some addresses bound to lo0.0 which I am advertising internally
> in my igp, and which are the 'official' addresses used for SNMP, SSH and
> BGP to the router.
> 
> I have firewall filters also that limit access to these protocols using
> prefix lists and such, and these filters are applied to lo0.0. The
> filters work and I can observe log messages for invalid accesses to the
> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access
> to other ip addresses bound on the router, such as ethernet interface
> addresses, are still being allowed. I thought, according to various
> junos docs, that applying a filter to lo0.0 filters out packets destined
> locally to the box regardless of actual interface. Could use some help.
> 
> 
> Here is the filter for ssh/telnet/snmp:
> 
> term allowed-login {
>     from {
>         prefix-list {
>            admin-hosts;
>         }
>         protocol tcp;
>         destination-port [ ssh telnet ];
>     }
>     then accept;
> }
> term no-other-logins {
>     from {
>         protocol tcp;
>         destination-port [ ssh telnet ];
>     }
>     then {
>         count bad-admin-access;
> 
>         log;
> 
>         discard;
>     }
> }
> term allowed-snmp {
>     from {
>         prefix-list {
>             network-mgmt-stations;
>         }
>         protocol udp;
>         destination-port snmp;
>     }
>     then accept;
> }
> term no-more-snmp {
>     from {
>         protocol udp;
>         destination-port snmp;
>     }
>     then {
>         count bad-snmp-access;
>         log;
>         syslog;
>         discard;
>     }
> }
> 
> term allow-peers {
>     from {
>         source-prefix-list {
>             bgp-peers;
>         }
>         protocol tcp;
>         destination-port bgp;
>     }
>     then accept;
> }
> term no-other-peers {
>     from {
>         protocol tcp;
>         destination-port bgp;
>     }
>     then {
>         count bad-bgp-connect;
>         discard;
>     }
> }
> 
> here is the config for lo0.0:
> 
> family inet {
>     filter {
>         input-list [ limit-admin limit-bgp ALLOW ];
>     }
>     address blah1/32;
>     address blah2/32;
>     address blah3/32 {
>         primary;
>         preferred;
>     }
> }