Mailing List Archive: Re: [EXT] firewall filter misses connected interface addresses

Re: [EXT] firewall filter misses connected interface addresses

Dec 9, 2019, 7:46 AM

Post #1 of 4 (809 views)

What hardware and software version? There were some bugs/limitations with certain combinations.

On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> Hello,
>
> I have a problem getting junos to filter out admin access to my router
> from unauthorized addresses.
>
> I have some addresses bound to lo0.0 which I am advertising internally
> in my igp, and which are the 'official' addresses used for SNMP, SSH and
> BGP to the router.
>
> I have firewall filters also that limit access to these protocols using
> prefix lists and such, and these filters are applied to lo0.0. The
> filters work and I can observe log messages for invalid accesses to the
> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access
> to other ip addresses bound on the router, such as ethernet interface
> addresses, are still being allowed. I thought, according to various
> junos docs, that applying a filter to lo0.0 filters out packets destined
> locally to the box regardless of actual interface. Could use some help.
>
>
> Here is the filter for ssh/telnet/snmp:
>
> term allowed-login {
> ??? from {
> ??????? prefix-list {
> ?????????? admin-hosts;
> ??????? }
> ??????? protocol tcp;
> ??????? destination-port [ ssh telnet ];
> ??? }
> ??? then accept;
> }
> term no-other-logins {
> ??? from {
> ??????? protocol tcp;
> ??????? destination-port [ ssh telnet ];
> ??? }
> ??? then {
> ??????? count bad-admin-access;
>
> ??? ??? log;
>
> ??? ??? discard;
> ??? }
> }
> term allowed-snmp {
> ??? from {
> ??????? prefix-list {
> ??????????? network-mgmt-stations;
> ??????? }
> ??????? protocol udp;
> ??????? destination-port snmp;
> ??? }
> ??? then accept;
> }
> term no-more-snmp {
> ??? from {
> ??????? protocol udp;
> ??????? destination-port snmp;
> ??? }
> ??? then {
> ??????? count bad-snmp-access;
> ??????? log;
> ??????? syslog;
> ??????? discard;
> ??? }
> }
>
> term allow-peers {
> ??? from {
> ??????? source-prefix-list {
> ??????????? bgp-peers;
> ??????? }
> ??????? protocol tcp;
> ??????? destination-port bgp;
> ??? }
> ??? then accept;
> }
> term no-other-peers {
> ??? from {
> ??????? protocol tcp;
> ??????? destination-port bgp;
> ??? }
> ??? then {
> ??????? count bad-bgp-connect;
> ??????? discard;
> ??? }
> }
>
> here is the config for lo0.0:
>
> family inet {
> ??? filter {
> ??????? input-list [ limit-admin limit-bgp ALLOW ];
> ??? }
> ??? address blah1/32;
> ??? address blah2/32;
> ??? address blah3/32 {
> ??????? primary;
> ??????? preferred;
> ??? }
> }
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [EXT] firewall filter misses connected interface addresses [ In reply to ]

ml-network at tibdefender

Dec 9, 2019, 8:10 AM

Post #2 of 4 (809 views)

Permalink

Hello Mike,

if you're using that lo0.0 in a routing-instance or use more than one
loopback you could also run into these restrictions:

- If you configure Filter A on the default loopback interface and
Filter B on the VRF loopback interface, the VRF routing instance uses
Filter B.

- If you configure Filter A on the default loopback interface but do
not configure a filter on the VRF loopback interface, the VRF routing
instance does not use a filter.

- If you configure Filter A on the default loopback interface but do
not even configure a VRF loopback interface, the VRF routing instance
uses Filter A.

See
https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html

BR
Andreas

On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote:
> What hardware and software version? There were some bugs/limitations
> with certain combinations.
>
> On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
>> Hello,
>>
>> I have a problem getting junos to filter out admin access to my
>> router
>> from unauthorized addresses.
>>
>> I have some addresses bound to lo0.0 which I am advertising
>> internally
>> in my igp, and which are the 'official' addresses used for SNMP, SSH
>> and
>> BGP to the router.
>>
>> I have firewall filters also that limit access to these protocols
>> using
>> prefix lists and such, and these filters are applied to lo0.0. The
>> filters work and I can observe log messages for invalid accesses to
>> the
>> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp
>> access
>> to other ip addresses bound on the router, such as ethernet
>> interface
>> addresses, are still being allowed. I thought, according to various
>> junos docs, that applying a filter to lo0.0 filters out packets
>> destined
>> locally to the box regardless of actual interface. Could use some
>> help.
>>
>>
>> Here is the filter for ssh/telnet/snmp:
>>
>> term allowed-login {
>>     from {
>>         prefix-list {
>>            admin-hosts;
>>         }
>>         protocol tcp;
>>         destination-port [ ssh telnet ];
>>     }
>>     then accept;
>> }
>> term no-other-logins {
>>     from {
>>         protocol tcp;
>>         destination-port [ ssh telnet ];
>>     }
>>     then {
>>         count bad-admin-access;
>>
>>         log;
>>
>>         discard;
>>     }
>> }
>> term allowed-snmp {
>>     from {
>>         prefix-list {
>>             network-mgmt-stations;
>>         }
>>         protocol udp;
>>         destination-port snmp;
>>     }
>>     then accept;
>> }
>> term no-more-snmp {
>>     from {
>>         protocol udp;
>>         destination-port snmp;
>>     }
>>     then {
>>         count bad-snmp-access;
>>         log;
>>         syslog;
>>         discard;
>>     }
>> }
>>
>> term allow-peers {
>>     from {
>>         source-prefix-list {
>>             bgp-peers;
>>         }
>>         protocol tcp;
>>         destination-port bgp;
>>     }
>>     then accept;
>> }
>> term no-other-peers {
>>     from {
>>         protocol tcp;
>>         destination-port bgp;
>>     }
>>     then {
>>         count bad-bgp-connect;
>>         discard;
>>     }
>> }
>>
>> here is the config for lo0.0:
>>
>> family inet {
>>     filter {
>>         input-list [ limit-admin limit-bgp ALLOW ];
>>     }
>>     address blah1/32;
>>     address blah2/32;
>>     address blah3/32 {
>>         primary;
>>         preferred;
>>     }
>> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [EXT] firewall filter misses connected interface addresses [ In reply to ]

cra at wpi

Dec 9, 2019, 1:13 PM

Post #3 of 4 (807 views)

Permalink

I use something like this so the same firewall filter is applied on all lo0.* interfaces of all VRFs and logical-systems:

set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE
set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6
set groups RE-FILTER interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE
set groups RE-FILTER interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6
set apply-groups RE-FILTER

On Mon, Dec 09, 2019 at 05:10:01PM +0100, Andreas wrote:
> Hello Mike,
>
> if you're using that lo0.0 in a routing-instance or use more than one
> loopback you could also run into these restrictions:
>
> - If you configure Filter A on the default loopback interface and
> Filter B on the VRF loopback interface, the VRF routing instance uses
> Filter B.
>
> - If you configure Filter A on the default loopback interface but do
> not configure a filter on the VRF loopback interface, the VRF routing
> instance does not use a filter.
>
> - If you configure Filter A on the default loopback interface but do
> not even configure a VRF loopback interface, the VRF routing instance
> uses Filter A.
>
> See
> https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html
>
>
> BR
> Andreas
>
> On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote:
> > What hardware and software version? There were some bugs/limitations
> > with certain combinations.
> >
> > On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> >> Hello,
> >>
> >> I have a problem getting junos to filter out admin access to my
> >> router
> >> from unauthorized addresses.
> >>
> >> I have some addresses bound to lo0.0 which I am advertising
> >> internally
> >> in my igp, and which are the 'official' addresses used for SNMP, SSH
> >> and
> >> BGP to the router.
> >>
> >> I have firewall filters also that limit access to these protocols
> >> using
> >> prefix lists and such, and these filters are applied to lo0.0. The
> >> filters work and I can observe log messages for invalid accesses to
> >> the
> >> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp
> >> access
> >> to other ip addresses bound on the router, such as ethernet
> >> interface
> >> addresses, are still being allowed. I thought, according to various
> >> junos docs, that applying a filter to lo0.0 filters out packets
> >> destined
> >> locally to the box regardless of actual interface. Could use some
> >> help.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [EXT] firewall filter misses connected interface addresses [ In reply to ]

juniper-nsp at puck

Dec 10, 2019, 7:09 AM

Post #4 of 4 (799 views)

Permalink

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Mailing List Archive

Mailing List Archive

Attached Files: