SRX

Hi all,

 

 

If my srx not configured Ip address on interface lo0 then is it i still need configure re-protect to protect the RE? My srx just use static route only.

 

 

Thanks and appreciate any advise.

RE protect filter is used to restrict traffic destined to system, like OSPF,BGP,SSH,Telnet,FTP etc. It is not to restrict traffic destined for lo0 only, but overall traffic destined to routing engine/control plane. Adding this filter won't create any performance issues ( need to make sure the filter is correctly configured)

Unless I am missing something, you won't need the re protect filter on the SRX.

 

You will be configuring your zones to have only the necessary protocols allowed by zone and down to interface in host inbound traffic.  With these in place you have the re filter that we typically use on other Junos devices in place.

Hi all,

 

 

If under host-inbound i just configure system service ping only but no ip address on lo0 (not configure re-protect due not configured ip address) then how someone can do icmp flood / broadcast storm that can make RE busy?

 

As i'm understand if u want to make icmp flood or other thing then u need the ip address that u want to target?

 

Appreciate someone feedback.

Hello,

Last time I checked, on branch SRX kit, lo0 filter is executed last after:

1/ interface input filter

2/ host-inbound-traffic config

3/ junos-host policy (if You have one).

So, if You don't have (1) and You are flooded by huge variety of ICMP flows (or UDP, or whatever), then Your flow table is going to be under stress. 

So, I would recommend to configure stateless interface input filter, rather than relying on lo0 filter or stateful firewall capabilities to protect self.

HTH

Thx
Alex

Hi Spuluka,

 

So below config should have protect RE from being too busy or stress right? Beside icmp and udp can be flood is there any other thing. Or it already enough.

 

{master}
root@srx5800> show configuration firewall filter protect-RE
term protect-icmp-flooding {
    from {
        protocol icmp;
        icmp-type [ echo-request echo-reply unreachable time-exceeded ];
    }
    then {
        policer small-bw-policer;
        accept;
    }
}
term protect-udp {
    from {
        protocol udp;
        destination-port 33434-33523;
    }
    then {
        policer small-bw-policer;
        accept;
    }
}
term all-traffic {
    then accept;
}


root@srx5800> show configuration firewall policer small-bw-policer
if-exceeding {
    bandwidth-limit 1m;
    burst-size-limit 1500;
}
then discard;

 

 

Alex,

 

So, if You don't have (1) and You are flooded by huge variety of ICMP flows (or UDP,
or whatever), then Your flow table is going to be under stress. 

I don't understand this.  We are talking about self traffic here, traffic that has a destination of the SRX ip address(s).  Why would a session be created for traffic that is denied by host inbound traffic or junos host policy?  

 

Hello,

For the flows that are denied by host-inbound traffic config or junos-host policy, the packet lookup will be done anyway. So in this case the proper wording is "flow module will be under stress".

For the flows that are permitted by both (and if there is no junos-host policy in the config, it means "permit all") the flow module and flow table will be both under stress.

One example is host-inbound NTP enabled on internet-facing zone ports to get sync from public servers. Once NTP server is added to the JUNOS "system ntp" config stanza, then NTP client and NTP server are both enabled and once the box is under NTP reflection attack, the lo0 filter will be the last one to drop the attack traffic. The proper course of action would be to deny illegitimate NTP inbound much sooner - with input interface filter.

HTH

Thanks
Alex

Hi Alex,

 

 

I'm try check whether my configuration have security zone "junos-host" but it look like dont have. So is it by default that configuration have but hidden?

 

Is it from your statement, it means i'm need to put stateless firewall filter in every interface "input filter"  if i dont have assign ip address on lo0?

 

 

Thanks and appreciate your feedback

 

 

 

Hi Alex,

 

Im read below url and it's look like if we have 50 security zone then we need to configure 50 security policy to zone junos-hots right? Using this security policy junos-host i'm not see how it can protect from "icmp flooding" that can make RE busy or stress. As i'm understand the policer just can bind into firewall family inet filter and bind into interface only.

 

1.) https://blog.perrin.net.nz/?p=139

2.) https://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

 

 

Thanks and appreciate any advise.

By default any traffic from junos-host to any zone is allowed. Also from any zone to junos-host is allowed. We use host-inbound-traffic to control traffic which goes to RE. But host-inbound-traffic doesnot have option to restrict IP address from where traffic is Sourced.

If ping is enabled on interface then from any IP address you can send traffic. So best option is to use RE protect filter where you can specify source address which will be allowed.

You can also use security policy to restrict traffic to junos-host. You can use Global security policy which incase 1 should be enough.

Firewall filter are processed before policy so best would be to use filters which can save PFE CPU.

Hi Arunsamy,

 

So the firewall filter need to apply on lo0 only or the entire interface that bind into security zone? FYI, i'm not configured any ip address at lo0.

 

Thanks and appreciate your feedback

In simple terms, lo0 is the RE interface and lo0 address can be reached from any physical interface. You need to apply filter only on lo0 which will be applicable to all traffic destined to RE from physical interface.

IP address is not mandatory on lo0.

Hi Arunsamy,

 

 

Noted. Thanks for the confirmation.