Routing
Reply
cmp
New User
cmp
Posts: 1
Registered: ‎06-03-2012
0

Firewall policy not being applied

I am trying to setup a firewall rule to restrict SSHD access.  I've done this dozens of times before without any issue.  This is the first time I've tried it on 11.4 however.

 

Model: j2350
JUNOS Software Release [11.4R1.6]

 

Here's my rather simple firewall statement:

 

set firewall family inet filter RESTRICT-SSHD term PERMIT-SSHD from prefix-list OUR-PREFIXES
set firewall family inet filter RESTRICT-SSHD term PERMIT-SSHD from protocol tcp
set firewall family inet filter RESTRICT-SSHD term PERMIT-SSHD from port ssh
set firewall family inet filter RESTRICT-SSHD term PERMIT-SSHD then log
set firewall family inet filter RESTRICT-SSHD term PERMIT-SSHD then accept
set firewall family inet filter RESTRICT-SSHD term DENY-SSHD from protocol tcp
set firewall family inet filter RESTRICT-SSHD term DENY-SSHD from port ssh
set firewall family inet filter RESTRICT-SSHD term DENY-SSHD then log
set firewall family inet filter RESTRICT-SSHD term DENY-SSHD then reject
set firewall family inet filter RESTRICT-SSHD term default-term then accept

set interfaces lo0 unit 0 family inet filter input RESTRICT-SSHD
set interfaces lo0 unit 0 family inet address 127.0.0.1/32

 

Here's my security statements:

 

set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based

 

I've setup a trace file.  The only thing showing is traffic hitting the pfe; nothing hitting the firewall.

 

Any input is appreciated.

 

Thanks!

Recognized Expert
mhariry
Posts: 338
Registered: ‎06-01-2011
0

Re: Firewall policy not being applied

Hi,

 

As nothing is hitting the box it might be due to prefix-list configuration problem. Try to remove the prefix-list statement just for testing and if it works so we have to review the prefix-list

 

Regards,

Mohamed

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.