[j-nsp] [EXT] firewall filter misses connected interface addresses
Anderson, Charles R
cra at wpi.edu
Mon Dec 9 16:13:23 EST 2019
I use something like this so the same firewall filter is applied on all lo0.* interfaces of all VRFs and logical-systems:
set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE
set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6
set groups RE-FILTER interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE
set groups RE-FILTER interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6
set apply-groups RE-FILTER
On Mon, Dec 09, 2019 at 05:10:01PM +0100, Andreas wrote:
> Hello Mike,
>
> if you're using that lo0.0 in a routing-instance or use more than one
> loopback you could also run into these restrictions:
>
> - If you configure Filter A on the default loopback interface and
> Filter B on the VRF loopback interface, the VRF routing instance uses
> Filter B.
>
> - If you configure Filter A on the default loopback interface but do
> not configure a filter on the VRF loopback interface, the VRF routing
> instance does not use a filter.
>
> - If you configure Filter A on the default loopback interface but do
> not even configure a VRF loopback interface, the VRF routing instance
> uses Filter A.
>
> See
> https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html
>
>
> BR
> Andreas
>
> On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote:
> > What hardware and software version? There were some bugs/limitations
> > with certain combinations.
> >
> > On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> >> Hello,
> >>
> >> I have a problem getting junos to filter out admin access to my
> >> router
> >> from unauthorized addresses.
> >>
> >> I have some addresses bound to lo0.0 which I am advertising
> >> internally
> >> in my igp, and which are the 'official' addresses used for SNMP, SSH
> >> and
> >> BGP to the router.
> >>
> >> I have firewall filters also that limit access to these protocols
> >> using
> >> prefix lists and such, and these filters are applied to lo0.0. The
> >> filters work and I can observe log messages for invalid accesses to
> >> the
> >> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp
> >> access
> >> to other ip addresses bound on the router, such as ethernet
> >> interface
> >> addresses, are still being allowed. I thought, according to various
> >> junos docs, that applying a filter to lo0.0 filters out packets
> >> destined
> >> locally to the box regardless of actual interface. Could use some
> >> help.
More information about the juniper-nsp
mailing list