Junos
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 2
Registered: ‎05-09-2017
0 Kudos

Help with implementing simple firewall filters

[ Edited ]

Hi,

 

I'm a senior system administrator with minor knowledge in administering

a Juniper Router (M7i, JUNOS 11.2R2.4) and I want to implement a basic

stateless firewall filter within the router.

 

I searched through the documentation and got a working solution, but

I assume my solution is not as easy as it could be and I do not understand

why another easier variant of my solution does not work.

 

The task: Block Intel AMT Access from outside

 

a) AMT-Ports: 623, 664, 16992-16995

b) TRUSTED_NETWORK: Prefix for my trusted network access is allowed

c) TRUSTED_NETWORK should be allowed to AMT-Ports, all others should be rejected

d) Configuration Base is: [edit firewall family inet filter filter_amt]

 

Solution 1 (Working)

 

term 1 {
    from {
        source-prefix-list {
            TRUSTED_NETWORKS;
        }
        destination-port [ 16992 16993 16994 16995 664 623 ];
    }
    then {
        count amt_allow_to;
        accept;
    }
}
term 2 {
    from {
        destination-prefix-list {
            TRUSTED_NETWORKS;
        }
        source-port [ 16992 16993 16994 16995 623 664 ];
    }
    then {
        count amt_allow_from;
        accept;
    }
}
term 3 {
    from {
        port [ 16992 16993 16994 16995 623 664 ];
    }
    then {
        count amt_reject;
        reject;
    }
}
term 4 {
    then accept;
}

 

 

Solution 2 (Not Working)

 

term 1 {
    from {
        source-prefix-list {
            TRUSTED_NETWORKS;
        }
        destination-port [ 16992 16993 16994 16995 664 623 ];
    }
    then {
        count amt_allow;
        accept;
    }
}
term 2 {
    from {
        destination-port [ 16992 16993 16994 16995 623 664 ];
    }
    then {
        count amt_reject;
        reject;
    }
}
term 3 {
    then accept;
}

 

Do you have any hint, why the second solution does not work, or any tip how to implement the rule in a better(less work for the router) way?

 

Thanks for all comments.

 

Contributor
Posts: 55
Registered: ‎06-16-2016
0 Kudos

Re: Help with implementing simple firewall filters

Your term 2 allows for return traffic like a SYN ACK coming from a remote device on a  three-way handshake. On your term 2, I would add "from tcp-established" to limit the return traffic to segments containing the ACK or RST flag.

Visitor
Posts: 2
Registered: ‎05-09-2017
0 Kudos

Re: Help with implementing simple firewall filters

Thanks. That seems to increase security further.