[j-nsp] [EXT] firewall filter misses connected interface addresses

Anderson, Charles R cra at wpi.edu
Mon Dec 9 16:13:23 EST 2019 

I use something like this so the same firewall filter is applied on all lo0.* interfaces of all VRFs and logical-systems:

set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE
set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6
set groups RE-FILTER interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE
set groups RE-FILTER interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6
set apply-groups RE-FILTER

On Mon, Dec 09, 2019 at 05:10:01PM +0100, Andreas wrote:
>  Hello Mike,
> 
>  if you're using that lo0.0 in a routing-instance or use more than one 
>  loopback you could also run into these restrictions:
> 
>  - If you configure Filter A on the default loopback interface and 
>  Filter B on the VRF loopback interface, the VRF routing instance uses 
>  Filter B.
> 
>  - If you configure Filter A on the default loopback interface but do 
>  not configure a filter on the VRF loopback interface, the VRF routing 
>  instance does not use a filter.
> 
>  - If you configure Filter A on the default loopback interface but do 
>  not even configure a VRF loopback interface, the VRF routing instance 
>  uses Filter A.
> 
>  See 
>  https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html
> 
> 
>  BR
>  Andreas
> 
>  On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote:
> > What hardware and software version?  There were some bugs/limitations
> > with certain combinations.
> >
> > On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> >> Hello,
> >>
> >> I have a problem getting junos to filter out admin access to my 
> >> router
> >> from unauthorized addresses.
> >>
> >> I have some addresses bound to lo0.0 which I am advertising 
> >> internally
> >> in my igp, and which are the 'official' addresses used for SNMP, SSH 
> >> and
> >> BGP to the router.
> >>
> >> I have firewall filters also that limit access to these protocols 
> >> using
> >> prefix lists and such, and these filters are applied to lo0.0. The
> >> filters work and I can observe log messages for invalid accesses to 
> >> the
> >> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp 
> >> access
> >> to other ip addresses bound on the router, such as ethernet 
> >> interface
> >> addresses, are still being allowed. I thought, according to various
> >> junos docs, that applying a filter to lo0.0 filters out packets 
> >> destined
> >> locally to the box regardless of actual interface. Could use some 
> >> help.

More information about the juniper-nsp mailing list