Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. juniper
EX4650 - loopback filter - ospf
juniper-nsp at puck
Mar 21, 2023, 2:29 AM
Post #1 of 6 (433 views)
Permalink
Hi,

I'm currently migrating EX4500 to EX4650.

Our loopback filter taken from EX4500 to EX4650 doesn't behave as expected.

Our lo0 filter looks like:
set interfaces lo0 unit 0 family inet filter input filter-management
set firewall family inet filter filter-management term ALLOW_SSH from
source-prefix-list ssh-admin
set firewall family inet filter filter-management term ALLOW_SSH from
protocol tcp
set firewall family inet filter filter-management term ALLOW_SSH from
destination-port ssh
set firewall family inet filter filter-management term ALLOW_SSH then
count filter-management_ALLOW_SSH
set firewall family inet filter filter-management term ALLOW_SSH then accept
set firewall family inet filter filter-management term DROP_SSH from
source-address 0.0.0.0/0
set firewall family inet filter filter-management term DROP_SSH from
protocol tcp
set firewall family inet filter filter-management term DROP_SSH from
destination-port ssh
set firewall family inet filter filter-management term DROP_SSH then
count filter-management_DROP_SSH
set firewall family inet filter filter-management term DROP_SSH then discard
set firewall family inet filter filter-management term ALLOW_NTP from
source-prefix-list router-self
set firewall family inet filter filter-management term ALLOW_NTP from
source-prefix-list ntp-servers
set firewall family inet filter filter-management term ALLOW_NTP from
protocol udp
set firewall family inet filter filter-management term ALLOW_NTP from
source-port ntp
set firewall family inet filter filter-management term ALLOW_NTP then
count filter-management_ALLOW_NTP
set firewall family inet filter filter-management term ALLOW_NTP then accept
...(bunch of allow terms)
set firewall family inet filter filter-management term accept-ospf from
protocol ospf
set firewall family inet filter filter-management term accept-ospf then
count filter-management-accept-ospf
set firewall family inet filter filter-management term accept-ospf then log
set firewall family inet filter filter-management term accept-ospf then
syslog
set firewall family inet filter filter-management term accept-ospf then
accept
set firewall family inet filter filter-management term accept-ospf-igmp
from destination-prefix-list ospf-routers
set firewall family inet filter filter-management term accept-ospf-igmp
from protocol igmp
set firewall family inet filter filter-management term accept-ospf-igmp
then count filter-management-accept-ospf-igmp
set firewall family inet filter filter-management term accept-ospf-igmp
then accept


If my filter stops here (implicit discard), ospf sessions previously
established eventually fail.

If the last term is a default accept, OSPF is working fine.

How do you guys do to accept OSPF and deny the rest on this platform ?

Thanks
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: EX4650 - loopback filter - ospf [ In reply to ]
juniper-nsp at puck
Mar 21, 2023, 3:38 AM
Post #2 of 6 (433 views)
Permalink
Hi

Here I use "from prefix-list", from what I understand from Juniper, when
"from destination-prefix-list" is inserted it is as if it were an IP on the
internal interface of the network and not an IP source IP filter and the
"from prefix-list" is more like source address.

set firewall family inet filter PROTECT_RE term acesso-ospf from
prefix-list ACCESS-v4-OSPF
set firewall family inet filter PROTECT_RE term acesso-ospf from protocol
ospf
set firewall family inet filter PROTECT_RE term acesso-ospf then accept

Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp <
juniper-nsp@puck.nether.net> escreveu:

> Hi,
>
> I'm currently migrating EX4500 to EX4650.
>
> Our loopback filter taken from EX4500 to EX4650 doesn't behave as expected.
>
> Our lo0 filter looks like:
> set interfaces lo0 unit 0 family inet filter input filter-management
> set firewall family inet filter filter-management term ALLOW_SSH from
> source-prefix-list ssh-admin
> set firewall family inet filter filter-management term ALLOW_SSH from
> protocol tcp
> set firewall family inet filter filter-management term ALLOW_SSH from
> destination-port ssh
> set firewall family inet filter filter-management term ALLOW_SSH then
> count filter-management_ALLOW_SSH
> set firewall family inet filter filter-management term ALLOW_SSH then
> accept
> set firewall family inet filter filter-management term DROP_SSH from
> source-address 0.0.0.0/0
> set firewall family inet filter filter-management term DROP_SSH from
> protocol tcp
> set firewall family inet filter filter-management term DROP_SSH from
> destination-port ssh
> set firewall family inet filter filter-management term DROP_SSH then
> count filter-management_DROP_SSH
> set firewall family inet filter filter-management term DROP_SSH then
> discard
> set firewall family inet filter filter-management term ALLOW_NTP from
> source-prefix-list router-self
> set firewall family inet filter filter-management term ALLOW_NTP from
> source-prefix-list ntp-servers
> set firewall family inet filter filter-management term ALLOW_NTP from
> protocol udp
> set firewall family inet filter filter-management term ALLOW_NTP from
> source-port ntp
> set firewall family inet filter filter-management term ALLOW_NTP then
> count filter-management_ALLOW_NTP
> set firewall family inet filter filter-management term ALLOW_NTP then
> accept
> ...(bunch of allow terms)
> set firewall family inet filter filter-management term accept-ospf from
> protocol ospf
> set firewall family inet filter filter-management term accept-ospf then
> count filter-management-accept-ospf
> set firewall family inet filter filter-management term accept-ospf then log
> set firewall family inet filter filter-management term accept-ospf then
> syslog
> set firewall family inet filter filter-management term accept-ospf then
> accept
> set firewall family inet filter filter-management term accept-ospf-igmp
> from destination-prefix-list ospf-routers
> set firewall family inet filter filter-management term accept-ospf-igmp
> from protocol igmp
> set firewall family inet filter filter-management term accept-ospf-igmp
> then count filter-management-accept-ospf-igmp
> set firewall family inet filter filter-management term accept-ospf-igmp
> then accept
>
>
> If my filter stops here (implicit discard), ospf sessions previously
> established eventually fail.
>
> If the last term is a default accept, OSPF is working fine.
>
> How do you guys do to accept OSPF and deny the rest on this platform ?
>
> Thanks
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: EX4650 - loopback filter - ospf [ In reply to ]
juniper-nsp at puck
Mar 21, 2023, 4:05 AM
Post #3 of 6 (433 views)
Permalink
Thanks Cristian,

Not specifing source should work since this rule is supposed to be wider.

I think my question is EX4650 specific. Do you use the EX4650 platform ?

Thanks

Le 21/03/2023 à 11:38, Cristian Cardoso a écrit :
> Hi
>
> Here I use "from prefix-list", from what I understand from Juniper, when
> "from destination-prefix-list" is inserted it is as if it were an IP on
> the internal interface of the network and not an IP source IP filter and
> the "from prefix-list" is more like source address.
>
> set firewall family inet filter PROTECT_RE term acesso-ospf from
> prefix-list ACCESS-v4-OSPF
> set firewall family inet filter PROTECT_RE term acesso-ospf from
> protocol ospf
> set firewall family inet filter PROTECT_RE term acesso-ospf then accept
>
> Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp
> <juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net>> escreveu:
>
> Hi,
>
> I'm currently migrating EX4500 to EX4650.
>
> Our loopback filter taken from EX4500 to EX4650 doesn't behave as
> expected.
>
> Our lo0 filter looks like:
> set interfaces lo0 unit 0 family inet filter input filter-management
> set firewall family inet filter filter-management term ALLOW_SSH from
> source-prefix-list ssh-admin
> set firewall family inet filter filter-management term ALLOW_SSH from
> protocol tcp
> set firewall family inet filter filter-management term ALLOW_SSH from
> destination-port ssh
> set firewall family inet filter filter-management term ALLOW_SSH then
> count filter-management_ALLOW_SSH
> set firewall family inet filter filter-management term ALLOW_SSH
> then accept
> set firewall family inet filter filter-management term DROP_SSH from
> source-address 0.0.0.0/0 <http://0.0.0.0/0>
> set firewall family inet filter filter-management term DROP_SSH from
> protocol tcp
> set firewall family inet filter filter-management term DROP_SSH from
> destination-port ssh
> set firewall family inet filter filter-management term DROP_SSH then
> count filter-management_DROP_SSH
> set firewall family inet filter filter-management term DROP_SSH then
> discard
> set firewall family inet filter filter-management term ALLOW_NTP from
> source-prefix-list router-self
> set firewall family inet filter filter-management term ALLOW_NTP from
> source-prefix-list ntp-servers
> set firewall family inet filter filter-management term ALLOW_NTP from
> protocol udp
> set firewall family inet filter filter-management term ALLOW_NTP from
> source-port ntp
> set firewall family inet filter filter-management term ALLOW_NTP then
> count filter-management_ALLOW_NTP
> set firewall family inet filter filter-management term ALLOW_NTP
> then accept
> ...(bunch of allow terms)
> set firewall family inet filter filter-management term accept-ospf from
> protocol ospf
> set firewall family inet filter filter-management term accept-ospf then
> count filter-management-accept-ospf
> set firewall family inet filter filter-management term accept-ospf
> then log
> set firewall family inet filter filter-management term accept-ospf then
> syslog
> set firewall family inet filter filter-management term accept-ospf then
> accept
> set firewall family inet filter filter-management term accept-ospf-igmp
> from destination-prefix-list ospf-routers
> set firewall family inet filter filter-management term accept-ospf-igmp
> from protocol igmp
> set firewall family inet filter filter-management term accept-ospf-igmp
> then count filter-management-accept-ospf-igmp
> set firewall family inet filter filter-management term accept-ospf-igmp
> then accept
>
>
> If my filter stops here (implicit discard), ospf sessions previously
> established eventually fail.
>
> If the last term is a default accept, OSPF is working fine.
>
> How do you guys do to accept OSPF and deny the rest on this platform ?
>
> Thanks
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> <mailto:juniper-nsp@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> <https://puck.nether.net/mailman/listinfo/juniper-nsp>
>

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: EX4650 - loopback filter - ospf [ In reply to ]
juniper-nsp at puck
Mar 21, 2023, 4:10 AM
Post #4 of 6 (433 views)
Permalink
No, I use MX's and QFX''s and EX these days.

Em ter., 21 de mar. de 2023 às 08:05, Laurent CARON <
lcaron@unix-scripts.info> escreveu:

> Thanks Cristian,
>
> Not specifing source should work since this rule is supposed to be wider.
>
> I think my question is EX4650 specific. Do you use the EX4650 platform ?
>
> Thanks
>
> Le 21/03/2023 à 11:38, Cristian Cardoso a écrit :
> > Hi
> >
> > Here I use "from prefix-list", from what I understand from Juniper, when
> > "from destination-prefix-list" is inserted it is as if it were an IP on
> > the internal interface of the network and not an IP source IP filter and
> > the "from prefix-list" is more like source address.
> >
> > set firewall family inet filter PROTECT_RE term acesso-ospf from
> > prefix-list ACCESS-v4-OSPF
> > set firewall family inet filter PROTECT_RE term acesso-ospf from
> > protocol ospf
> > set firewall family inet filter PROTECT_RE term acesso-ospf then accept
> >
> > Em ter., 21 de mar. de 2023 às 06:30, Laurent CARON via juniper-nsp
> > <juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net>>
> escreveu:
> >
> > Hi,
> >
> > I'm currently migrating EX4500 to EX4650.
> >
> > Our loopback filter taken from EX4500 to EX4650 doesn't behave as
> > expected.
> >
> > Our lo0 filter looks like:
> > set interfaces lo0 unit 0 family inet filter input filter-management
> > set firewall family inet filter filter-management term ALLOW_SSH from
> > source-prefix-list ssh-admin
> > set firewall family inet filter filter-management term ALLOW_SSH from
> > protocol tcp
> > set firewall family inet filter filter-management term ALLOW_SSH from
> > destination-port ssh
> > set firewall family inet filter filter-management term ALLOW_SSH then
> > count filter-management_ALLOW_SSH
> > set firewall family inet filter filter-management term ALLOW_SSH
> > then accept
> > set firewall family inet filter filter-management term DROP_SSH from
> > source-address 0.0.0.0/0 <http://0.0.0.0/0>
> > set firewall family inet filter filter-management term DROP_SSH from
> > protocol tcp
> > set firewall family inet filter filter-management term DROP_SSH from
> > destination-port ssh
> > set firewall family inet filter filter-management term DROP_SSH then
> > count filter-management_DROP_SSH
> > set firewall family inet filter filter-management term DROP_SSH then
> > discard
> > set firewall family inet filter filter-management term ALLOW_NTP from
> > source-prefix-list router-self
> > set firewall family inet filter filter-management term ALLOW_NTP from
> > source-prefix-list ntp-servers
> > set firewall family inet filter filter-management term ALLOW_NTP from
> > protocol udp
> > set firewall family inet filter filter-management term ALLOW_NTP from
> > source-port ntp
> > set firewall family inet filter filter-management term ALLOW_NTP then
> > count filter-management_ALLOW_NTP
> > set firewall family inet filter filter-management term ALLOW_NTP
> > then accept
> > ...(bunch of allow terms)
> > set firewall family inet filter filter-management term accept-ospf
> from
> > protocol ospf
> > set firewall family inet filter filter-management term accept-ospf
> then
> > count filter-management-accept-ospf
> > set firewall family inet filter filter-management term accept-ospf
> > then log
> > set firewall family inet filter filter-management term accept-ospf
> then
> > syslog
> > set firewall family inet filter filter-management term accept-ospf
> then
> > accept
> > set firewall family inet filter filter-management term
> accept-ospf-igmp
> > from destination-prefix-list ospf-routers
> > set firewall family inet filter filter-management term
> accept-ospf-igmp
> > from protocol igmp
> > set firewall family inet filter filter-management term
> accept-ospf-igmp
> > then count filter-management-accept-ospf-igmp
> > set firewall family inet filter filter-management term
> accept-ospf-igmp
> > then accept
> >
> >
> > If my filter stops here (implicit discard), ospf sessions previously
> > established eventually fail.
> >
> > If the last term is a default accept, OSPF is working fine.
> >
> > How do you guys do to accept OSPF and deny the rest on this platform
> ?
> >
> > Thanks
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > <mailto:juniper-nsp@puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > <https://puck.nether.net/mailman/listinfo/juniper-nsp>
> >
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: EX4650 - loopback filter - ospf [ In reply to ]
juniper-nsp at puck
Mar 21, 2023, 5:07 AM
Post #5 of 6 (433 views)
Permalink
On Tue, 21 Mar 2023 at 10:29, Laurent CARON via juniper-nsp
<juniper-nsp@puck.nether.net> wrote:
> set firewall family inet filter filter-management term accept-ospf from
> protocol ospf
> set firewall family inet filter filter-management term accept-ospf then
> count filter-management-accept-ospf
> set firewall family inet filter filter-management term accept-ospf then log
> set firewall family inet filter filter-management term accept-ospf then
> syslog
> set firewall family inet filter filter-management term accept-ospf then
> accept
> set firewall family inet filter filter-management term accept-ospf-igmp
> from destination-prefix-list ospf-routers
> set firewall family inet filter filter-management term accept-ospf-igmp
> from protocol igmp
> set firewall family inet filter filter-management term accept-ospf-igmp
> then count filter-management-accept-ospf-igmp
> set firewall family inet filter filter-management term accept-ospf-igmp
> then accept
>
>
> If my filter stops here (implicit discard), ospf sessions previously
> established eventually fail.
>
> If the last term is a default accept, OSPF is working fine.

https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/destination-prefix-list-edit-services-stateful-firewall.html

https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/source-prefix-list-edit-services-stateful-firewall.html

Is the prefix list "ospf-routers" intended to match against source
and/or destination IPv4/v6 addresses in the particular RE_FILTER rule?

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: EX4650 - loopback filter - ospf [ In reply to ]
juniper-nsp at puck
Mar 29, 2023, 1:33 AM
Post #6 of 6 (427 views)
Permalink
Le 21/03/2023 à 13:07, Chriztoffer via juniper-nsp a écrit :
> https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/destination-prefix-list-edit-services-stateful-firewall.html
>
> https://www.juniper.net/documentation/us/en/software/junos/interfaces-adaptive-services/topics/ref/statement/source-prefix-list-edit-services-stateful-firewall.html
>
> Is the prefix list "ospf-routers" intended to match against source
> and/or destination IPv4/v6 addresses in the particular RE_FILTER rule?
>

Hi,

ospf-routers is defined as follows:

set policy-options prefix-list ospf-routers 224.0.0.5/32
set policy-options prefix-list ospf-routers 224.0.0.6/32

Thanks

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal