Ethernet Switching
Reply
Regular Visitor
crouchingbadger
Posts: 12
Registered: ‎08-29-2011
0

Outbound SSH fails when ingress firewall filter applied to lo0

Hi all,

 

We have a standard Protect-RE firewall filter which we've used on our MX devices. These devices have an address on lo0.0. It works well.

 

We've tried to apply the same Protect-RE firewall filter to the EX switches, but these don't have an address on l0.0.  Instead, they have an address on vlan.0, which is an RVI in vlan 999.

 

Model: ex4200-24t
JUNOS Base OS boot [10.4R1.9]

 

 

interfaces {
   lo0 {
      unit 0 {
          family inet {
              filter {
                  input Protect-RE;
              }
          }
      }
   }
   vlan {
     unit 0 {
      family inet {
          address 10.251.29.5/24;
      }
   }

}
vlans {
  vlan999 {
    vlan-id 999;
    l3-interface vlan.0;
  }
}
firewall {
    family inet {
        filter Protect-RE {
            term SSH {
                from {
                    protocol tcp;
                    destination-port ssh;
                }
                then accept;
            }
            term Discard-Everything-Else {
                then {
                    count Discard-Everything-Else;
                    discard;
                }
            }
        }
    }
}

I don't think this is doing what we think it's doing.

 

My understanding was that all traffic destinted for the RE is passed through the input filter on lo0.0 (despite not having an address), so traffic destined for interface vlan.0 would also be processed by this.

 

We can ssh into the box using 10.251.29.5, but we cannot ssh out. I can't log the discards (not supported), but I can see Packets incrementing for the counter as we attempt an outbound session.

 

> show firewall counter filter Protect-RE Discard-Everything-Else

Filter: Protect-RE
Counters:
Name                                                Bytes              Packets
Discard-Everything-Else                             23496                  284

I'm guessing the return ssh packets are being discarded. 

 

Should we just apply the input filter to the RVI?

 

Thanks

Ben

Regular Visitor
crouchingbadger
Posts: 12
Registered: ‎08-29-2011
0

Re: Outbound SSH fails when ingress firewall filter applied to lo0

[ Edited ]

I seem to be making a habit of replying to myself, but you have to stop clicking near-identical links and press send at some point :-)  I post this link for future civilisations that they may find the answer more easily.

 

I just found this guide: "Deploying Fixed Configuration and Chassis-Based EX Series Ethernet Switches in Campus LANs": 

 

http://www.juniper.net/us/en/local/pdf/implementation-guides/8010021-en.pdf

 

On page 11, halfway down is a throwaway comment: "For devices that are using RVI as in-band management, apply the firewall filter on the RVI instead of lo0."  Which is the opposite advice to everything I've read to date about protecting an RE.

 

However, this still hasn't resolved the problem. I believe it could be to do with the SSH reply packets being addressed to a random high port.  This filter works for outgoing connections on an MX, so I'm still stuck.

 

Ben

Distinguished Expert
spuluka
Posts: 2,235
Registered: ‎03-30-2009
0

Re: Outbound SSH fails when ingress firewall filter applied to lo0

You need to make two adjustments in the filter.

 

The discard term should only discard traffic with the destination port of SSH not all traffic.

 

You need to add a term to then accept all other traffic.  Optionally you can list all the other protocols that the routing engine must be able to accept on the loopback. 

 

There is an example in the Junos tips forum with a longer explanation.

 

http://forums.juniper.net/t5/Day-One-Tips-Contest/Technique-Securing-routing-engine-for-out-of-band-...

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Regular Visitor
crouchingbadger
Posts: 12
Registered: ‎08-29-2011
0

Re: Outbound SSH fails when ingress firewall filter applied to lo0

Thanks Steve,

 

I just haven't had time to try this out yet, but what you're saying makes sense.  The full firewall filter we use was left out for illustration, but it doesn't contain anything that would help here.

 

I'll have a go soon and give feedback, but just thought I'd thank you for replying.

 

Ben

Contributor
sumo
Posts: 13
Registered: ‎11-08-2011
0

Re: Outbound SSH fails when ingress firewall filter applied to lo0

Hi guys!

I also have the same problem on a mixed EX4200/4500 VC (11.4R2.14). My config:

 

set firewall family inet filter Protect-RE term allow-ssh from source-prefix-list mgmt-net
set firewall family inet filter Protect-RE term allow-ssh from source-prefix-list archive
set firewall family inet filter Protect-RE term allow-ssh from destination-prefix-list lo0
set firewall family inet filter Protect-RE term allow-ssh from destination-prefix-list vme
set firewall family inet filter Protect-RE term allow-ssh from protocol tcp
set firewall family inet filter Protect-RE term allow-ssh from destination-port ssh
set firewall family inet filter Protect-RE term allow-ssh then accept


set firewall family inet filter Protect-RE term allow-snmp from source-prefix-list snmp
set firewall family inet filter Protect-RE term allow-snmp from destination-prefix-list lo0
set firewall family inet filter Protect-RE term allow-snmp from destination-prefix-list vme
set firewall family inet filter Protect-RE term allow-snmp from protocol udp
set firewall family inet filter Protect-RE term allow-snmp from destination-port 161
set firewall family inet filter Protect-RE term allow-snmp then accept


set firewall family inet filter Protect-RE term ssh-outbound from destination-port 1024-65535
set firewall family inet filter Protect-RE term ssh-outbound then accept

### Basically it doesn't matter what I set here, allow high ports, tcp-established etc.

### As soon as I try a outbound session on port 22 it hits the "deny-mgmt" below.


set firewall family inet filter Protect-RE term deny-mgmt from destination-port 22
set firewall family inet filter Protect-RE term deny-mgmt from destination-port 161
set firewall family inet filter Protect-RE term deny-mgmt then count DISCARD
set firewall family inet filter Protect-RE term deny-mgmt then discard

 

set firewall family inet filter Protect-RE term default-allow then accept

 

set interfaces lo0 unit 0 family inet filter input Protect-RE

 

--------

# run show firewall filter Protect-RE
Filter: Protect-RE
Counters:
Name                                                Bytes              Packets
DISCARD                                              1726                   20

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.