[j-nsp] [EXT] firewall filter misses connected interface addresses
Andreas
ml-network at tibdefender.com
Mon Dec 9 11:10:01 EST 2019
Hello Mike,
if you're using that lo0.0 in a routing-instance or use more than one
loopback you could also run into these restrictions:
- If you configure Filter A on the default loopback interface and
Filter B on the VRF loopback interface, the VRF routing instance uses
Filter B.
- If you configure Filter A on the default loopback interface but do
not configure a filter on the VRF loopback interface, the VRF routing
instance does not use a filter.
- If you configure Filter A on the default loopback interface but do
not even configure a VRF loopback interface, the VRF routing instance
uses Filter A.
See
https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html
BR
Andreas
On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote:
> What hardware and software version? There were some bugs/limitations
> with certain combinations.
>
> On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
>> Hello,
>>
>> I have a problem getting junos to filter out admin access to my
>> router
>> from unauthorized addresses.
>>
>> I have some addresses bound to lo0.0 which I am advertising
>> internally
>> in my igp, and which are the 'official' addresses used for SNMP, SSH
>> and
>> BGP to the router.
>>
>> I have firewall filters also that limit access to these protocols
>> using
>> prefix lists and such, and these filters are applied to lo0.0. The
>> filters work and I can observe log messages for invalid accesses to
>> the
>> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp
>> access
>> to other ip addresses bound on the router, such as ethernet
>> interface
>> addresses, are still being allowed. I thought, according to various
>> junos docs, that applying a filter to lo0.0 filters out packets
>> destined
>> locally to the box regardless of actual interface. Could use some
>> help.
>>
>>
>> Here is the filter for ssh/telnet/snmp:
>>
>> term allowed-login {
>> from {
>> prefix-list {
>> admin-hosts;
>> }
>> protocol tcp;
>> destination-port [ ssh telnet ];
>> }
>> then accept;
>> }
>> term no-other-logins {
>> from {
>> protocol tcp;
>> destination-port [ ssh telnet ];
>> }
>> then {
>> count bad-admin-access;
>>
>> log;
>>
>> discard;
>> }
>> }
>> term allowed-snmp {
>> from {
>> prefix-list {
>> network-mgmt-stations;
>> }
>> protocol udp;
>> destination-port snmp;
>> }
>> then accept;
>> }
>> term no-more-snmp {
>> from {
>> protocol udp;
>> destination-port snmp;
>> }
>> then {
>> count bad-snmp-access;
>> log;
>> syslog;
>> discard;
>> }
>> }
>>
>> term allow-peers {
>> from {
>> source-prefix-list {
>> bgp-peers;
>> }
>> protocol tcp;
>> destination-port bgp;
>> }
>> then accept;
>> }
>> term no-other-peers {
>> from {
>> protocol tcp;
>> destination-port bgp;
>> }
>> then {
>> count bad-bgp-connect;
>> discard;
>> }
>> }
>>
>> here is the config for lo0.0:
>>
>> family inet {
>> filter {
>> input-list [ limit-admin limit-bgp ALLOW ];
>> }
>> address blah1/32;
>> address blah2/32;
>> address blah3/32 {
>> primary;
>> preferred;
>> }
>> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list