SRX

Currently we have a Linux box running as a transparent firewall. If we want to block some host, we can do something like

  ssh -i some.key root@firewall "iptables -I INPUT -s bad.example.com -j DENY"

from any host with appropriate SSH key authentication

We have purchased an SRX 3400 and would like to do the same thing. I can execute a shell or cli command like that but I can't see how to insert a configuration rule and commit it. (Committing rules seems a bit slow, incidentally)

Is there a simple way to do this, or do I need to run the SLAX API ? If so, how would I do the above one-line operation ?

Hi,

Here is a sample script (op) to add a firewall filter to block all traffic from a  specific source address coming on a specified interface ... for this script you need to give two intputs - host ip address and incoming interface . 

Sample output : block is the opscript name ..host and interface are the arguments....

[edit]
lab@host1-a# run op block ?
Possible completions:
  <[Enter]>            Execute this command
  <name>               Argument name
  detail               Display detailed output
  host                 Enter the host ip address 
  interface            Enter the interface
  |                    Pipe through a command
[edit]
lab@host1-a# run op block host 11.22.33.44 interface fe-0/0/2 

[edit]
lab@host1-a# run show configuration firewall 
family inet {
    filter block {
        term badhosts {
            from {
                source-address {
                    1.2.3.4/32;
                    4.3.2.1/32;
                    8.9.1.2/32;
                    11.22.33.44/32;
                }
            }
            then {
                reject;
            }
        }
        term others {
            then accept;
        }
    }
}

[edit]
lab@host1-a# run show configuration interfaces fe-0/0/2 
unit 0 {
    family inet {
        filter {
            input block;
        }
    }
}

 Hope this helps !

Attachment(s)

block.txt   1 KB 1 version

Thank you - that looks very much like what I want. Although from my limited experience and just having taken the Junos Security course lab, I kind of expected security policies not "firewall" entries.

A followup question:  How can I delete a rule having entered it ?

I can see how to do it in configuration mode with "delete" cf. "set" to create a rule. but I don't understand the scripting language well enough (if at all).

Andrew

Hi,

If our objective is to drop a packet, it is efficient to do it at stateless firewall filters itself(i,e in the intial stages of packet processing) , rather than  denying it at security policies (stateful inspection).  Also, for acheiving our objective we need more inputs like context (from-zone,to-zone,src-ip,dst-ip,application) all of which are mandatory for a security policy.

coming to deletion of hosts from the firewall filter, i have prepared one more op script ..

pradeep@srx> show configuration firewall family inet filter block
term badhosts {
    from {
        source-address {
            5.6.7.8/32;
            1.2.3.4/32;
        }
    }
    then {
        reject;
    }
}
term others {
    then accept;
}


pradeep@srx> op remove ?
Possible completions:
  <[Enter]>            Execute this command
  <name>               Argument name
  detail               Display detailed output
  host                 Enter the host ip address to be removed from the blocklist
  |                    Pipe through a command

pradeep@srx> op remove host 5.6.7.8


pradeep@srx> show configuration firewall family inet filter block
term badhosts {
    from {
        source-address {
            1.2.3.4/32;
        }
    }
    then {
        reject;
    }
}
term others {
    then accept;
}

 For more info on SLAX scripts, you can refer to DayOne Guides on Junos Automation (http://www.juniper.net/us/en/community/junos/script-automation/)  check the Recommended Reading Section of this .

Hope this helps !

Attachment(s)

remove.txt   931 B 1 version