Routing

Wondering if any of you find folks could help me with this. I want to create a firewall filter and attach it to the Internet Edge of an IRB interface. Below is the syntax. Im running 12.3R6.6 if it matters.

 

The filter does 2 simple things. Allows traffic in from two source networks (term100), and allows ping from behind the router out to the Internet (term 101) .

 

I apply the 'set family inet filter input Internet-Filter' to the interface.

 

The weird thing is term 100 works, term 101 does. I tried attaching it to the output queue. I've tried splitting them up into an input and an output filter. I've tried alot of things. It almost seems like it only takes the first term in the filter. If I remove the filters everything works in all directions, which is bad. Please, help your fellow nerd.

 

 

filter Internet-Filter {
 term 100 {
            from {
                source-address {
                    8.8.0.0/16;
                    4.4.0.0/16;
                }
                destination-address {
                    1XX.XX.50.131/32;
                    1XX.XX.50.130/32;
                }
                protocol tcp;
                destination-port [ 8080-8085 ];
            }
            then accept;  
        }
    }
}
        term 101 {
            from {
                source-address {
              1XX.XX.50.0/24;
                }
                destination-address {
                    0.0.0.0/0;
                }
                protocol icmp;
            }
            then accept;
        }
    }
}

Can you provide the physical interface configuration, as well as the IRB?  The term criteria are somewhat contradictory - it looks like you have your "local" addresses set as the destination addresses in term 100, but they are the source addresses in term 101.  If your IRB is your public-facing network, then term 100 would work for traffic inbound to the IRB because the filter is applied from the perspective of the "wire" or physical interface.  Your 1xx.xx.50.0/24 traffic would actually be coming from another interface on the router, so the second term would never match.  It would be better to set that term on a filter on the ingress of the interface(s) attached to the 1xx.xx.50.0/24 network(s).

I appreciate the response . The physical external interface is actually a 100 Gbps trunk going to our ISP. working with the ISP we tagged a subinterface to be et-5/1/0:4 . You are correct, term 100 is the inbound traffic from the internet to our internal resources. Term 101 is to allow those same internal networks out to the internet. I wouldnt do 101 at all but when I apply the inbound , outbound traffic ceases to work. I would have applied filters to the l2 interfaces but was confused on how to do it in the MX. These bridge interfaces are odd and different from the qfxs.

Thanks again.

When applied, the filter will stop all traffic coming back into the router via that interface because the filter is stateless.  As such, it will block everything not explicitly allowed in the filter.  If you want to be able ONLY allow ping responses to devices behind the router, then you should construct the filter like this:

 

filter Internet-Filter {
	term 100 {
		from {
			source-address {
				8.8.0.0/16;
				4.4.0.0/16;
			}
			destination-address {
				1XX.XX.50.131/32;
				1XX.XX.50.130/32;
			}
			protocol tcp;
			destination-port [ 8080-8085 ];
		}
		then accept;  
	}
	term 101 {
		from {
			source-address {
				0.0.0.0/0;
			}
			destination-address {
				1xx.xx.50.0/24;
			}
			protocol icmp;
			icmp-type echo-reply;
		}
		then accept;
	}
}

Again, this will block everything except inbound TCP to ports 8080-8085 and inbound echo responses, which may or may not be exactly what you want, but it's what you described.  

 

Firewall filters are stateless and similar in function to a Cisco ACL. If it's not defined, it's not getting through:

 

http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html

Ok but here is what I dont get about statement. Take the below config. Source of some address on the Internet, passing through my router hitting an internal ip on tcp 8080. This config works. I can telnet in on port 8080. If these filters are truely stateless then response traffic would be blocked but its not. Connections are made back to the random source ports. Thats why I dont get for term 101  I cant just do source of internal networks, destination 0.0.0.0/0 then accept.

 

 term 100 {
            from {
                source-address {
                    1XX.XX.0.0/16;
                }
                destination-address {
                    1XX.XX.XX.194/32;
                }
                protocol tcp;
                destination-port 8080;
            }
            then accept;
        }

But you are applying this to the input of the irb, not the output.  This is a one-way filter.  The SYN-ACK and subsequent TCP responses from your local network don't even touch this filter.

 

In order to filter *that* traffic, you would create that term 101 in a different filter and apply it to the output direction of the IRB interface.  The problem is, if you just create term 101, then your return, or tcp-established traffic will stop working.  You will need to include a 'from tcp-established then accept' term in order to allow that all to work.  Again, this is a very simplistic filter that will block all traffic except for what is defined in term 101 and in the 'tcp-established' term.

 

You need to decide whether you want an inclusive filter or exclusive filter. I'm not sure what type of network you run, but your users' traffic profiles would really decide which type of filter you should construct in each direction.  My network uses both types, inclusive on egress and exclusive on ingress.

Thanks again, not sure why this is giving me so much trouble (this is why I deal with staeful firewalls, not routers) but I appreciate your help.

 

All I want is to filter inbound to the network to specific hosts and protocols and allow everything out.

 

It occurs to me that the traffic is being filtered twice, when it enters the router interface and when it leaves the router interface. I really only need to filter this in one place so my thought is I'll essentially permit all on the Outbound ACL and do my restrictions on the inbound. Still doesnt seem to work.

 

    filter Internet-Filter-Outbound {
        term 100 {
            from {
                source-address {
                    1XX.XX.50.0/24;
                }
                destination-address {
                    0.0.0.0/0;
                }
            }
            then accept;
        }
        term 110 {
            from {
                source-address {
                    0.0.0.0/0;
                }
                destination-address {
                    1XX.XX.50/24;
                }
            }
            then accept;
        }
    }

 

 

I could be wrong, but what I think you are missing here is that a filter is applied on traffic coming IN or traffic going OUT.  You can't reliably filter bi-directional traffic in one filter.

 

In order to filter traffic on ingress, you apply the filter on input:

 

set interfaces irb unit X family inet filter input MY-INPUT-FILTER

To filter outbound traffic, you apply the filter on output:

 

set interfaces irb unit X family inet filter output MY-OUTPUT-FILTER

 

 

In other words, say I want to allow only HTTP, SSH, and ping requests into my network, this is how I might construct my filter:

 

firewall {
    family inet {
        filter inbound-filter {
            term t1 {
                from {
                    protocol tcp;
                    destination-port [ 80 22 ];
                    destination-address 192.168.1.0/24;
                }
                then accept;
            }
            term t2 {
                from {
                    protocol icmp;
                    icmp-type echo-request;
                }
                then accept;
            }
            term t3 {
                from {
                    tcp-established;
                }
                then accept;
            }
        }
    }
}
interfaces {
    irb {
        unit 0 {
            family inet {
                address 100.100.200.1/30;
                filter {
                    input inbound-filter;
                }
            }
        }
    }
}

 

thanks again. In your example, lets say you also wanted to allow internal host to access the Internet as well on http https ?

I would strongly, strongly suggest that you read through the documentation regarding M/MX firewall filters:

 

http://www.juniper.net/techpubs/en_US/junos14.2/topics/concept/firewall-filter-stateless-overview.html

 

Even better, try the excellent (free!) Day One book:

 

http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/configuring-junos-policies/

 

The filter I provided is merely an example.  In the real world, it's highly unlikely that filter would do everything you need.  Keep in mind that because the filter is stateless, UDP traffic would be blocked upon ingress which would prevent internet browsing because DNS responses would be dropped on their way back in to your network.  You would need to make sure that all traffic that you want to allow is allowed.  Unfortunately, I can't really tell you all the terms that need to be configured because I don't know your network.

 

There is nothing in the filter that is technically preventing an internal host from accessing the internet because, again, the filter is being applied on the input of the interface.  Think of the filter application like a one-way border checkpoint where the guard only cares about what you are bringing in and not what is leaving.  That filter is doing the same thing, since there is no corresponding output filter applied to the interface.

Thank you EVT,

 

For documentation sake, in case anyone else is in the same boat, see the below summary:

 

I ended up creating and applying an input filter to my irb interface.

 

irb {
    unit 4 {
        enable;
        family inet {
            filter {
                input Internet-Filter-Inbound;
            }
            address xx.xx.xx.xx/31;
        }
    }
}

 

The goal was to create a basic filter that permit some traffic in from external networks and also response traffic to my internal Internet requests. EVT's comment about UDP is what caused me to realize my dns request replies werent getting in. UDP being connectionless makes it impossible to allow only udp-established connections back in.

 

In the below example 8.8.0.0 and 8.4.0.0 are the sample external networks I needed to allow internally to TCP 9090.

 

 

filter Internet-Filter-Inbound {
term 100 {
    from {
        source-address {
            8.8.0.0/16;
            8.4.0.0/16;
        }
        destination-address {
            1XX.XX.XXX.194/32;
            1XX.XX.XXX.130/32;
        }
        protocol tcp;
        destination-port 9090;
    }
    then accept;
}
term 110 {
    from {
        destination-address {
             1XX.XX.XXX.0/24;
        }
        protocol tcp;
        tcp-established;
    }
    then accept;
}
term 120 {
    from {
        destination-address {
            1XX.XX.XXX.0/24;
        }
        protocol udp;
    }
    then accept;
}
term 130 {
    from {
        destination-address {
            1XX.XX.XXX.0/24;
        }
        protocol icmp;
        icmp-type echo-reply;
    }
}