Switching

I have an EX4200 running as a switch/router. I have a few Servers on a VLAN. I am looking to create a Firewall Filter and apply this filter to the VLAN with the Servers. The goal of allowing RDP (TCP3389) from a subnet (i.e. 192.168.1.0/24), then Deny RDP(TCP3389) from all other subnets, but allowing all other traffic to and from these Servers from everything. Can someone help me out with the format i should be using here? I have tried a few things without success.

Thank!

This will be the filter:

[edit firewall family inet]
dev@lab01# show
filter rdp-filter {
     term allow-all{
           from  {
                  source-address {
                         192.168.1.0/24;
                    }
               }
              then {
                 accept;
                 }
       }
     term block-rdp {
           from  {
                  protocol  tcp{
                          destination-port 3389;
                            }
               }
               then {
                      reject;
                }
           }
           term accept-traffic {
                 then accept;
             }
      }

Apply this to the interfaces you want to protect

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
              filter {
                  input rdp-filter;

Thanks for this but this still does not work. I can still RDP from 192.168.1.0/24 as well as any other subnet.

I am looking to add this firewall filter to the VLAN or the VLAN Interface. I have tried both firewall filter family inet as well as firewall filter family ethernet-switching applying it to the input VLAN and input VLAN Interface.

What am i missing here?

i am looking to do the same thing i have done with Cisco 7609 for instance. I have a Server VLAN, I create an access-list to allow RDP for my subnet, deny rdp from everything else, allow all traffic then apply the access-list to the interface vlan.

Hi,

Can you please elaborate on which interface you applied the filter.

If you share the config, it might be helpful.

You could also apply the filter as an output filter if you're applying it on the same interface as where the servers reside to filter on outgoing traffic from the RVI interface.

The principle is similar to Cisco, where you apply the access-lists in 'in' or 'out' direction.

Cheers,

Ashvin

Just to follow up on this. I did get this working ...  Applied the filter to the RVI for outbound. Inbound did nothing.

Thanks all..

Just one more piece to this ...  I added a counter to the block-rdp term to see things were working, but I am seeing the counter increment slowly even when I am not trying to connect which tells me something else is hitting this on tcp-3389. I tried to add the then log statement but it tells me this is not supported on egress traffic. Any thoughts on how i can identify what IP is hitting this counter?

Hi,

There are some limitations with egress filters on EX.

You could have achieved the same result as the output filter by applying the filter as input on all ingress interfaces but its a bit more cumbersome process if you have a lot of ingress interfaces. It is important to apply filter in the same direction as the traffic.

In this case, you can apply a filter as input on all the ingress interfaces to log the traffic, as well as still keeping a separate output filter [no logging] on the egress interface.

Example:

filter RDP-LOG {
    term RDP-LOG {
        from {
            destination-address {
                x.x.x.x/x;
            }
            protocol tcp;
            destination-port 3389;
        }
        then {
            log;
            accept;
        }
    }
    term DEFAULT-ACCEPT {
        then accept;
    }
}

Filter can be applied as input on all ingress interfaces.

I believe there are multiple ways of achieving the same result.

Cheers,

Ashvin

Thanks Ashvin ...  Did the trick. I found out which system was hammering away on 3389. A Sys Admin who was testing a new monitoring system that did a check on the RDP 3389 port. 🙂

Kuods!

Hi,

The Firewall Filter proposed by Spuluka seems to be OK. you have to apply this Filter to your loopback lo0 unit 0.

I hope it helps.

BR/

Zakour

Hi,

Applying firewall filter on the lo0.0 interface would not help in this case as this is transit traffic.

Filters on lo0 are normally to protect the RE / control plane, i.e traffic destined to this router / RE.

Cheers,

Ashvin