Mailing List Archive

IPv6 firewall
Hi everyone,

I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
I configured a filter as below and applied it to lo0.0
to restrict clients accessible with telnet to the
Juniper box.

firewall {
family inet6 {
filter restrict-clients {
term 1 {
from {
source-address {
::/0;
3ffe:507:200::/56 except; # example
}
destination-port telnet;
}
then {
log;
reject;
}
}
term 2 {
then {
log;
accept;
}
}
}
}
}

This filter worked as I expected. But after I applied it
the box became not to forward all packets through it.
It forwarded packets correctly when forwarding with 'direct'
routes, but it didn't when forwading with non-'direct'
routes, for example 'RIPng' routes.

According to the output of 'show route' the box had learned
routes to destinations. And no 'Reject' entries with regard
to packet un-forwarding appeard in the output of 'show
firewall log'.

Is my configuration, or my understanding about the function
wrong? Would you please give me any suggestion if you have?

Best regards,
--
Tomohiko Kurahashi <kura@iij.ad.jp>
Network Engineering Division, Technology Department
Internet Initiative Japan Inc.
IPv6 firewall [ In reply to ]
You need to allow routing protocols to go through too when
applying FW to lo0.

On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
kura@iij.ad.jp wrote:

kura> Hi everyone,
kura>
kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
kura> I configured a filter as below and applied it to lo0.0
kura> to restrict clients accessible with telnet to the
kura> Juniper box.
kura>
kura> firewall {
kura> family inet6 {
kura> filter restrict-clients {
kura> term 1 {
kura> from {
kura> source-address {
kura> ::/0;
kura> 3ffe:507:200::/56 except; # example
kura> }
kura> destination-port telnet;
kura> }
kura> then {
kura> log;
kura> reject;
kura> }
kura> }
kura> term 2 {
kura> then {
kura> log;
kura> accept;
kura> }
kura> }
kura> }
kura> }
kura> }
kura>
kura> This filter worked as I expected. But after I applied it
kura> the box became not to forward all packets through it.
kura> It forwarded packets correctly when forwarding with 'direct'
kura> routes, but it didn't when forwading with non-'direct'
kura> routes, for example 'RIPng' routes.
kura>
kura> According to the output of 'show route' the box had learned
kura> routes to destinations. And no 'Reject' entries with regard
kura> to packet un-forwarding appeard in the output of 'show
kura> firewall log'.
kura>
kura> Is my configuration, or my understanding about the function
kura> wrong? Would you please give me any suggestion if you have?
kura>
kura> Best regards,
kura> --
kura> Tomohiko Kurahashi <kura@iij.ad.jp>
kura> Network Engineering Division, Technology Department
kura> Internet Initiative Japan Inc.
kura> _______________________________________________
kura> juniper-nsp mailing list juniper-nsp@puck.nether.net
kura> http://puck.nether.net/mailman/listinfo/juniper-nsp
kura>
IPv6 firewall [ In reply to ]
You need to allow routing protocols to go through too when
applying FW to lo0.

On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
kura@iij.ad.jp wrote:

kura> Hi everyone,
kura>
kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
kura> I configured a filter as below and applied it to lo0.0
kura> to restrict clients accessible with telnet to the
kura> Juniper box.
kura>
kura> firewall {
kura> family inet6 {
kura> filter restrict-clients {
kura> term 1 {
kura> from {
kura> source-address {
kura> ::/0;
kura> 3ffe:507:200::/56 except; # example
kura> }
kura> destination-port telnet;
kura> }
kura> then {
kura> log;
kura> reject;
kura> }
kura> }
kura> term 2 {
kura> then {
kura> log;
kura> accept;
kura> }
kura> }
kura> }
kura> }
kura> }
kura>
kura> This filter worked as I expected. But after I applied it
kura> the box became not to forward all packets through it.
kura> It forwarded packets correctly when forwarding with 'direct'
kura> routes, but it didn't when forwading with non-'direct'
kura> routes, for example 'RIPng' routes.
kura>
kura> According to the output of 'show route' the box had learned
kura> routes to destinations. And no 'Reject' entries with regard
kura> to packet un-forwarding appeard in the output of 'show
kura> firewall log'.
kura>
kura> Is my configuration, or my understanding about the function
kura> wrong? Would you please give me any suggestion if you have?
kura>
kura> Best regards,
kura> --
kura> Tomohiko Kurahashi <kura@iij.ad.jp>
kura> Network Engineering Division, Technology Department
kura> Internet Initiative Japan Inc.
kura> _______________________________________________
kura> juniper-nsp mailing list juniper-nsp@puck.nether.net
kura> http://puck.nether.net/mailman/listinfo/juniper-nsp
kura>
IPv6 firewall [ In reply to ]
On Tue, 1 Oct 2002, Joseph wrote:
> You need to allow routing protocols to go through too when
> applying FW to lo0.

Routing protocols rarely use port 'telnet', so IMO there appears to be a
problem there..

>
> On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
> kura@iij.ad.jp wrote:
>
> kura> Hi everyone,
> kura>
> kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
> kura> I configured a filter as below and applied it to lo0.0
> kura> to restrict clients accessible with telnet to the
> kura> Juniper box.
> kura>
> kura> firewall {
> kura> family inet6 {
> kura> filter restrict-clients {
> kura> term 1 {
> kura> from {
> kura> source-address {
> kura> ::/0;
> kura> 3ffe:507:200::/56 except; # example
> kura> }
> kura> destination-port telnet;
> kura> }
> kura> then {
> kura> log;
> kura> reject;
> kura> }
> kura> }
> kura> term 2 {
> kura> then {
> kura> log;
> kura> accept;
> kura> }
> kura> }
> kura> }
> kura> }
> kura> }
> kura>
> kura> This filter worked as I expected. But after I applied it
> kura> the box became not to forward all packets through it.
> kura> It forwarded packets correctly when forwarding with 'direct'
> kura> routes, but it didn't when forwading with non-'direct'
> kura> routes, for example 'RIPng' routes.
> kura>
> kura> According to the output of 'show route' the box had learned
> kura> routes to destinations. And no 'Reject' entries with regard
> kura> to packet un-forwarding appeard in the output of 'show
> kura> firewall log'.
> kura>
> kura> Is my configuration, or my understanding about the function
> kura> wrong? Would you please give me any suggestion if you have?
> kura>
> kura> Best regards,
> kura> --
> kura> Tomohiko Kurahashi <kura@iij.ad.jp>
> kura> Network Engineering Division, Technology Department
> kura> Internet Initiative Japan Inc.
> kura> _______________________________________________
> kura> juniper-nsp mailing list juniper-nsp@puck.nether.net
> kura> http://puck.nether.net/mailman/listinfo/juniper-nsp
> kura>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
IPv6 firewall [ In reply to ]
> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
> I configured a filter as below and applied it to lo0.0
> to restrict clients accessible with telnet to the
> Juniper box.
>
> firewall {
> family inet6 {
> filter restrict-clients {
> term 1 {
> from {
> source-address {
> ::/0;
> 3ffe:507:200::/56 except; # example
> }
> destination-port telnet;
> }

This "from" specification should also specify that the protocol is
TCP; otherwise, it may be generating a match on packets that you do
not intend that it match (such as routing protocol packets).

Try:

from {
source-address {
::/0;
3ffe:507:200::/56 except; # example
}
next-header tcp;
destination-port telnet;
}

or something like that.

Stephen
IPv6 firewall [ In reply to ]
On Tue, Oct 01, 2002 at 04:55:02PM +0900, Joseph wrote:
> You need to allow routing protocols to go through too when
> applying FW to lo0.
>
> On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
> kura@iij.ad.jp wrote:
>
> kura> Hi everyone,
> kura>
> kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
> kura> I configured a filter as below and applied it to lo0.0
> kura> to restrict clients accessible with telnet to the
> kura> Juniper box.
> kura>
> kura> firewall {
> kura> family inet6 {
> kura> filter restrict-clients {
> kura> term 1 {
> kura> from {
> kura> source-address {
> kura> ::/0;
> kura> 3ffe:507:200::/56 except; # example
> kura> }
> kura> destination-port telnet;
> kura> }
> kura> then {
> kura> log;
> kura> reject;
> kura> }
> kura> }
> kura> term 2 {
> kura> then {
> kura> log;
> kura> accept;
> kura> }
> kura> }
> kura> }
> kura> }
> kura> }

As long as the routing protocols aren't using port 23, this filter
should pass them. Also, there would not be routes present in the
table if this were the case (I believe the original email stated
there were routes present).

-c
IPv6 firewall [ In reply to ]
> As long as the routing protocols aren't using port 23, this filter
> should pass them. Also, there would not be routes present in the
> table if this were the case (I believe the original email stated
> there were routes present).

The test needs to include the fact that only TCP packets should be
tested for destination port 23. A non-TCP packet could match term 1 of
the filter as written - it could be that some routing protocol packets
have the bit-pattern to match destination port 23 that would fail the
test for TCP protocol (allowing them to fall through to term 2).

Stephen
IPv6 firewall [ In reply to ]
From: jkei@zak.att.ne.jp
Date: Tue Oct 01 2002 14:30:15 JST
>
> You need to allow routing protocols to go through too when
> applying FW to lo0.

I have already done it. No routing protocols are restricted by
my filter. All packets, except some of telnet, should be accepted
in 'term 2'. And routers in my test network correctly exchange
route information each other with RIPng.

Best regards,
--
Tomohiko Kurahashi <kura@iij.ad.jp>
Network Engineering Division, Technology Department
Internet Initiative Japan Inc.


> On Tue, 1 Oct 2002 13:57:10 +0900 (JST)
> kura@iij.ad.jp wrote:
>
> kura> Hi everyone,
> kura>
> kura> I'm testing IPv6 firewall function of JUNOS 5.4R2.4.
> kura> I configured a filter as below and applied it to lo0.0
> kura> to restrict clients accessible with telnet to the
> kura> Juniper box.
> kura>
> kura> firewall {
> kura> family inet6 {
> kura> filter restrict-clients {
> kura> term 1 {
> kura> from {
> kura> source-address {
> kura> ::/0;
> kura> 3ffe:507:200::/56 except; # example
> kura> }
> kura> destination-port telnet;
> kura> }
> kura> then {
> kura> log;
> kura> reject;
> kura> }
> kura> }
> kura> term 2 {
> kura> then {
> kura> log;
> kura> accept;
> kura> }
> kura> }
> kura> }
> kura> }
> kura> }
> kura>
> kura> This filter worked as I expected. But after I applied it
> kura> the box became not to forward all packets through it.
> kura> It forwarded packets correctly when forwarding with 'direct'
> kura> routes, but it didn't when forwading with non-'direct'
> kura> routes, for example 'RIPng' routes.
> kura>
> kura> According to the output of 'show route' the box had learned
> kura> routes to destinations. And no 'Reject' entries with regard
> kura> to packet un-forwarding appeard in the output of 'show
> kura> firewall log'.
> kura>
> kura> Is my configuration, or my understanding about the function
> kura> wrong? Would you please give me any suggestion if you have?
> kura>
> kura> Best regards,
> kura> --
> kura> Tomohiko Kurahashi <kura@iij.ad.jp>
> kura> Network Engineering Division, Technology Department
> kura> Internet Initiative Japan Inc.
IPv6 firewall [ In reply to ]
From: stuart@tech.org
Date: Tue Oct 01 2002 17:34:15 JST
>
> This "from" specification should also specify that the protocol is
> TCP; otherwise, it may be generating a match on packets that you do
> not intend that it match (such as routing protocol packets).
>
> Try:
>
> from {
> source-address {
> ::/0;
> 3ffe:507:200::/56 except; # example
> }
> next-header tcp;
> destination-port telnet;
> }
>
> or something like that.

I added 'next-header tcp' in my filter but no changes were
observed.

And I think that routing is not my problem. The following
figure is a part of my test network.

=+======+= =+======+=
| segA | | segB |
Router_A M-10 Router_B

My problem is that ping6 from Router_A to loopback I/F of
Router_B, and from Router_B to loopback of Router_A, fail
only after appling the filter to lo0.0 of M-10. Of course
every router has route to segA, segB and loopback I/F of
each other even after appling the filter.

Best regards,
--
Tomohiko Kurahashi <kura@iij.ad.jp>
Network Engineering Division, Technology Department
Internet Initiative Japan Inc.
IPv6 firewall [ In reply to ]
> And I think that routing is not my problem. The following
> figure is a part of my test network.
>
> =+======+= =+======+=
> | segA | | segB |
> Router_A M-10 Router_B
>
> My problem is that ping6 from Router_A to loopback I/F of
> Router_B, and from Router_B to loopback of Router_A, fail
> only after appling the filter to lo0.0 of M-10. Of course
> every router has route to segA, segB and loopback I/F of
> each other even after appling the filter.

You've got logging on both terms of the filter; what do the firewall
logs say?

Stephen
IPv6 firewall [ In reply to ]
From: stuart@tech.org
Date: Wed Oct 02 2002 02:13:47 JST
>
> > And I think that routing is not my problem. The following
> > figure is a part of my test network.
> >
> > =+======+= =+======+=
> > | segA | | segB |
> > Router_A M-10 Router_B
> >
> > My problem is that ping6 from Router_A to loopback I/F of
> > Router_B, and from Router_B to loopback of Router_A, fail
> > only after appling the filter to lo0.0 of M-10. Of course
> > every router has route to segA, segB and loopback I/F of
> > each other even after appling the filter.
>
> You've got logging on both terms of the filter; what do the firewall
> logs say?

I have already mentioned in my first mail as below.

Date: Tue Oct 01 2002 13:57:10 JST
Subject: [j-nsp] IPv6 firewall
>
> And no 'Reject' entries with regard
> to packet un-forwarding appeard in the output of 'show
> firewall log'.

--
Tomohiko Kurahashi <kura@iij.ad.jp>