Switching

Hello,

I have applied a firewall filter which, by all appearances, looks to be correct. However, my desired effect has not been obtained.

My EX4200 is configured as a Layer3 switch, no routing (BGP, OSPF, etc..). If there is a way I can blackhole/nullroute these IP's that might work too.

I basically want to block all traffix from x.x.x.x/32 to vlanX, really simple stuff...

root@dal1-core1# show firewall
family ethernet-switching {
filter broncos {
term block_udp {
from {
source-address {
69.93.94.154/32;
109.233.112.63/32;
183.61.241.31/32;
186.2.164.89/32;
60.214.139.197/32;
122.224.32.238/32;
}
}
then discard;
}
term allow_all {
then accept;
}
}
}

root@dal1-core1# show vlans vlan231
vlan-id 231;
filter {
input broncos;
}
l3-interface vlan.231;

22:17:30.921036 IP 122.13.167.117.57068 > 69.194.236.111.domain: 44276+ [1au] ANY? 30259.info. (51)
22:17:30.923000 IP 60.214.139.197.32393 > 69.194.236.119.domain: 39391+ [1au] ANY? 30259.info. (51)
22:17:30.924021 IP 122.224.32.238.59516 > 69.194.236.84.domain: 15588+ [1au] ANY? 30259.info. (51)
22:17:30.925686 IP 60.214.139.197.apc-9951 > 69.194.236.66.domain: 20473+ [1au] ANY? 30259.info. (51)
22:17:30.926677 IP 67.159.54.157.51346 > 69.194.236.123.domain: 45630+ [1au] ANY? 30259.info. (51)
22:17:30.927749 IP 122.224.32.238.50724 > 69.194.236.80.domain: 25724+ [1au] ANY? 30259.info. (51)
22:17:30.929011 IP 122.224.32.238.52602 > 69.194.236.102.domain: 6806+ [1au] ANY? 30259.info. (51)
22:17:30.930439 IP 186.2.164.90.23762 > 69.194.237.38.domain: 62206+ [1au] ANY? 30259.info. (51)
22:17:30.930616 IP 186.2.164.90.34258 > 69.194.237.38.domain: 62206+ [1au] ANY? 30259.info. (51)
22:17:30.931351 IP 122.224.32.238.33883 > 69.194.236.125.domain: 35805+ [1au] ANY? 30259.info. (51)
22:17:30.931583 IP 60.214.139.197.16800 > 69.194.236.89.domain: 41056+ [1au] ANY? 30259.info. (51)
22:17:30.932268 IP 186.2.164.90.46443 > 69.194.237.52.domain: 39757+ [1au] ANY? 30259.info. (51)
22:17:30.932720 IP 186.2.164.89.16071 > 69.194.236.90.domain: 46929+ [1au] ANY? 30259.info. (51)
22:17:30.936045 IP 122.224.32.238.62786 > 69.194.237.59.domain: 25102+ [1au] ANY? 30259.info. (51)
22:17:30.937806 IP 60.214.139.197.42798 > 69.194.236.68.domain: 3586+ [1au] ANY? 30259.info. (51)
22:17:30.938491 IP 109.233.112.63.32562 > 69.194.237.48.domain: 21150+ [1au] ANY? fir.45lol.com. (54)

Any help provided would be much appreciated.

Thank you.

So just an update here.. I've managed to get a little further, but still no luck...

root@dal1-core1# show firewall
family inet {
filter broncos-l3-filter {
term block_udp {
from {
protocol udp;
destination-port [ domain 53 ];
}
then {
count broncos-l3-counter;
discard;
}
}
term allow_all {
then accept;
}
}
}

root@dal1-core1# show interfaces vlan unit 231
family inet {
filter {
input broncos-l3-filter;

root@dal1-core1> show firewall

Filter: broncos-l3-filter
Counters:
Name Bytes Packets
broncos-l3-counter 43582604 473808

root@broncos [~]# tcpdump -i eth0 -s0 'port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:21:21.637048 IP 60.214.139.194.36104 > 69.194.236.97.domain: 34872+ [1au] ANY? 36088.info. (51)
18:21:21.637203 IP 69.194.237.57.domain > 186.2.167.74.57885: 28011- 0/13/1 (250)
18:21:21.637695 IP 69.194.236.97.domain > 60.214.139.194.36104: 34872- 0/13/1 (250)
18:21:21.639027 IP 59.63.181.2.27015 > 69.194.237.38.domain: 30609+ [1au] ANY? 36088.info. (51)
18:21:21.639030 IP 69.194.235.227.44081 > 8.8.8.8.domain: 32096+ PTR? 97.236.194.69.in-addr.arpa. (44)
18:21:21.639580 IP 69.194.237.38.domain > 59.63.181.2.27015: 30609- 0/13/1 (250)
18:21:21.639828 IP 60.214.139.198.738 > 69.194.236.93.domain: 622+ [1au] ANY? 36088.info. (51)
18:21:21.640354 IP 69.194.236.93.domain > 60.214.139.198.738: 622- 0/13/1 (250)
18:21:21.640382 IP 60.214.139.198.12947 > 69.194.236.116.domain: 17253+ [1au] ANY? 36088.info. (51)
18:21:21.640822 IP 60.214.139.199.29641 > 69.194.235.228.domain: 55711+ [1au] ANY? 36088.info. (51)
18:21:21.640844 IP 69.194.236.116.domain > 60.214.139.198.12947: 17253- 0/13/1 (250)
18:21:21.640860 IP 60.214.139.196.34485 > 69.194.237.35.domain: 34195+ [1au] ANY? 36088.info. (51)
18:21:21.641286 IP 69.194.237.35.domain > 60.214.139.196.34485: 34195- 0/13/1 (250)
18:21:21.641588 IP 69.194.235.228.domain > 60.214.139.199.29641: 55711- 0/13/1 (250)
18:21:21.643435 IP 186.2.167.72.nicname > 69.194.237.41.domain: 23437+ [1au] ANY? 36088.info. (51)

15 packets captured
794621 packets received by filter
794465 packets dropped by kernel

Andrew,

you are applying your filter to a layer 3 interface.  So you need to create the filter as "family inet" instead of "family ethernet-switching."

If you want to black traffic "from" thse IP going into the vlan, then you need to apply the filter as an output filter to the vlan interface.

Hello Everyone,

Thank you for your responses, and thanks to the moderator who moved this thread to the correct sub-forum >_<

lyndidon got it dead on. As soon as I applied the rules as an output filter, the UDP to 53 traffic ceased.

Thank you very much for your help!

Is VLAN unti 231 the external interface coming into the switch? EX4200 does not support filter output commands, therefore if trying to protect from External IPs, you would have to assign this to your External facing RVI as an input filter to block as the traffic enters the switch before hitting the RVI you are trying to protect.

HTH  

Try apply the filter on the l3 interface something like this -

set interfaces vlan.231 family inet filter input broncos