SRX Services Gateway
Reply
Trusted Contributor
evt
Posts: 179
Registered: ‎02-10-2008
0
Accepted Solution

Traffic making it past stateless filters

I'm trying to figure out why my SRX3600 is letting traffic pass by the stateless filters.  I've got one filter configured on my interface that's connected to the 'untrust' zone (in my case, the 'out-inet' zone):

 

    ge-0/0/11 {
        description r1:ge-0/1/2;
        enable;
        vlan-tagging;
        unit 1 {
            vlan-id 1;
            family inet {
                mtu 1500;
                filter {
                    input block-common;
                }
                address x.x.x.10/30;
            }
        }
    }

 It's a simple filter:

 

        filter block-common {
            term 0-allow_local {
                from {                  
                    source-prefix-list {
                        ACCESS-common-subnets;
                    }
                }
                then accept;
            }
            term 10-block_common {
                from {
                    protocol udp;
                    destination-port [ 135 137 138 139 445 4444 1433-1434 ];
                }
                then {
                    count common-ports;
                    discard;
                }
            }
            term 20-block_tcp {
                from {
                    protocol tcp;
                }
                then {
                    count tcp-attempts;
                    discard;
                }
            }
            term 1000-implicit_allow {
                then accept;
            }
        }

One of the results of the filter above is that it's supposed to block all TCP traffic, except for that which is coming from IPs configured in my 'ACCESS-common-subnets' prefix-list.  The problem is, I'm still seeing TCP traffic hitting the 'screen' I've configured:

 

1 2012-08-09T13:54:45.745 fw1 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.34 attack-name="Port scan!" source-address="x.x.x.54" source-port="40829" destination-address="x.x.x.1" destination-port="22" source-zone-name="out-inet" interface-name="ge-0/0/11.1" action="drop"]

 I've verified that the IP address is not listed in the prefix-list that has access to bypass this filter.  It's my understanding that the stateless filters are #3 in line for processing, which occurs before passing the packet on to the screen process.  Is there something I'm missing?

 

SRX details: 3600 in a cluster, running 11.2R7.4.

 

Recognized Expert
mhariry
Posts: 344
Registered: ‎06-01-2011
0

Re: Traffic making it past stateless filters

Hi,

 

You could check this post it might help you

 

http://forums.juniper.net/t5/SRX-Services-Gateway/Default-Deny-on-SRX240/m-p/135335/highlight/true#M...

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Trusted Contributor
evt
Posts: 179
Registered: ‎02-10-2008
0

Re: Traffic making it past stateless filters

I'm not sure how this helps.  That post doesn't appear to be close to the same problem I'm having.

Trusted Contributor
evt
Posts: 179
Registered: ‎02-10-2008
0

Re: Traffic making it past stateless filters

Let me be clearer in what I am trying to accomplish here.

 

I want to block all TCP traffic with the stateless filter, so that it doesn't even reach the screen or even take up any session resources in the firewall.  I also have a 'screen' configured to block various IP and UDP-based attacks, and it happens to still have TCP-based attacks configured, so as to test out the effectiveness of the stateless filter.  I am still seeing TCP traffic hitting my 'screen' even though I expect all TCP traffic to be blocked by the stateless filter.

 

 

Distinguished Expert
MMcD
Posts: 637
Registered: ‎07-20-2010

Re: Traffic making it past stateless filters

Hi can you try the following and check the filter again?

 

term 20-block_tcp {
                from {
                    protocol tcp;
                    tcp-initial;
                }
                then {
                    count tcp-attempts;
                    discard;
                }
            }

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Trusted Contributor
evt
Posts: 179
Registered: ‎02-10-2008
0

Re: Traffic making it past stateless filters

Thanks, that seems to work a lot better.  Why is just 'protocol tcp' not enough?  Now that I have 'tcp-initial' configured, do I need separate rules with other tcp-flags configured to block those as well?

Distinguished Expert
MMcD
Posts: 637
Registered: ‎07-20-2010

Re: Traffic making it past stateless filters

[ Edited ]

Good question, I am mobile at the minute and cannot get you a 100% answer but I'm pretty sure the Flags, tcip-initial or port etc etc must be specified when using protocol tcp; in a filter as above.

 

tcp-initial is a term used for the bits "(syn & !ack)".

 

You can use one rule with logical operators to specify a variety of tcp flags such as:

 

 

user@srx#set firewall family inet filter myfilter term term1 from tcp-flags "(syn & !ack) | fin | rst"

 

Have a read here:

 

http://www.juniper.net/techpubs/en_US/junos10.0/topics/reference/requirements/firewall-filter-ex-ser...

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.