[j-nsp] [EXT] firewall filter misses connected interface addresses

Michael Hare michael.hare at wisc.edu
Tue Dec 10 10:09:05 EST 2019


Charles-

This may be off mark but you have tried removing and re-adding the filter to your lo0.0 or doing a commit full?

I have seen apply-groups inheritance issues in 16.1 that match the sort of issues you are having.  I have experienced them both in BGP and firewall filters.  For example, I used an apply-group for iBGP and I have seen changes inside the config group result in a mismatch between config and operational behavior after a commit.  Same deal with firewall filters.  I've seen it across all of my MX gear and I didn't see this behavior in 14.1.

At some point JTAC pointed me to this the following PR.  

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1357802 

I have seen the description of this PR change over time.  When I was first pointed to the PR it was all about vrf-import but now I see it has been expanded to other types of inheritance.  Personally I have NOT seen an RPD core with respect to this issue.  

I have been using 18.3R3 in my lab and haven't seen inheritance issues (yet?)

-Michael

> -----Original Message-----
> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> On Behalf Of
> Anderson, Charles R
> Sent: Monday, December 9, 2019 3:13 PM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] [EXT] firewall filter misses connected interface addresses
> 
> I use something like this so the same firewall filter is applied on all lo0.*
> interfaces of all VRFs and logical-systems:
> 
> set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet
> filter input ROUTING-ENGINE
> set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet6
> filter input ROUTING-ENGINE6
> set groups RE-FILTER interfaces lo0 unit <*> family inet filter input ROUTING-
> ENGINE
> set groups RE-FILTER interfaces lo0 unit <*> family inet6 filter input
> ROUTING-ENGINE6
> set apply-groups RE-FILTER
> 
> On Mon, Dec 09, 2019 at 05:10:01PM +0100, Andreas wrote:
> >  Hello Mike,
> >
> >  if you're using that lo0.0 in a routing-instance or use more than one
> >  loopback you could also run into these restrictions:
> >
> >  - If you configure Filter A on the default loopback interface and
> >  Filter B on the VRF loopback interface, the VRF routing instance uses
> >  Filter B.
> >
> >  - If you configure Filter A on the default loopback interface but do
> >  not configure a filter on the VRF loopback interface, the VRF routing
> >  instance does not use a filter.
> >
> >  - If you configure Filter A on the default loopback interface but do
> >  not even configure a VRF loopback interface, the VRF routing instance
> >  uses Filter A.
> >
> >  See
> >  https://www.juniper.net/documentation/en_US/junos/topics/usage-
> guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-
> routing-instances-in-layer-3-vpns.html
> >
> >
> >  BR
> >  Andreas
> >
> >  On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote:
> > > What hardware and software version?  There were some
> bugs/limitations
> > > with certain combinations.
> > >
> > > On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> > >> Hello,
> > >>
> > >> I have a problem getting junos to filter out admin access to my
> > >> router
> > >> from unauthorized addresses.
> > >>
> > >> I have some addresses bound to lo0.0 which I am advertising
> > >> internally
> > >> in my igp, and which are the 'official' addresses used for SNMP, SSH
> > >> and
> > >> BGP to the router.
> > >>
> > >> I have firewall filters also that limit access to these protocols
> > >> using
> > >> prefix lists and such, and these filters are applied to lo0.0. The
> > >> filters work and I can observe log messages for invalid accesses to
> > >> the
> > >> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp
> > >> access
> > >> to other ip addresses bound on the router, such as ethernet
> > >> interface
> > >> addresses, are still being allowed. I thought, according to various
> > >> junos docs, that applying a filter to lo0.0 filters out packets
> > >> destined
> > >> locally to the box regardless of actual interface. Could use some
> > >> help.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list