SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Traffic making it past stateless filters

     
    Posted 08-09-2012 11:08

    I'm trying to figure out why my SRX3600 is letting traffic pass by the stateless filters.  I've got one filter configured on my interface that's connected to the 'untrust' zone (in my case, the 'out-inet' zone):

     

        ge-0/0/11 {
        description r1:ge-0/1/2;
        enable;
        vlan-tagging;
        unit 1 {
            vlan-id 1;
            family inet {
                mtu 1500;
                filter {
                    input block-common;
                }
                address x.x.x.10/30;
            }
        }
    }

     It's a simple filter:

     

            filter block-common {
            term 0-allow_local {
                from {                  
                    source-prefix-list {
                        ACCESS-common-subnets;
                    }
                }
                then accept;
            }
            term 10-block_common {
                from {
                    protocol udp;
                    destination-port [ 135 137 138 139 445 4444 1433-1434 ];
                }
                then {
                    count common-ports;
                    discard;
                }
            }
            term 20-block_tcp {
                from {
                    protocol tcp;
                }
                then {
                    count tcp-attempts;
                    discard;
                }
            }
            term 1000-implicit_allow {
                then accept;
            }
        }

    One of the results of the filter above is that it's supposed to block all TCP traffic, except for that which is coming from IPs configured in my 'ACCESS-common-subnets' prefix-list.  The problem is, I'm still seeing TCP traffic hitting the 'screen' I've configured:

     

    1 2012-08-09T13:54:45.745 fw1 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.34 attack-name="Port scan!" source-address="x.x.x.54" source-port="40829" destination-address="x.x.x.1" destination-port="22" source-zone-name="out-inet" interface-name="ge-0/0/11.1" action="drop"]

     I've verified that the IP address is not listed in the prefix-list that has access to bypass this filter.  It's my understanding that the stateless filters are #3 in line for processing, which occurs before passing the packet on to the screen process.  Is there something I'm missing?

     

    SRX details: 3600 in a cluster, running 11.2R7.4.

     



  • 2.  RE: Traffic making it past stateless filters

    Posted 08-10-2012 07:33

    Hi,

     

    You could check this post it might help you

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/Default-Deny-on-SRX240/m-p/135335/highlight/true#M17271

     

    Regards,

     

    Mohamed Elhariry

     

    JNCIE-M/T # 1059, CCNP & CCIP

     

    ----------------------------------------------------------------------------------------------------------------------------------------

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 3.  RE: Traffic making it past stateless filters

     
    Posted 08-10-2012 07:39

    I'm not sure how this helps.  That post doesn't appear to be close to the same problem I'm having.



  • 4.  RE: Traffic making it past stateless filters

     
    Posted 08-10-2012 10:50

    Let me be clearer in what I am trying to accomplish here.

     

    I want to block all TCP traffic with the stateless filter, so that it doesn't even reach the screen or even take up any session resources in the firewall.  I also have a 'screen' configured to block various IP and UDP-based attacks, and it happens to still have TCP-based attacks configured, so as to test out the effectiveness of the stateless filter.  I am still seeing TCP traffic hitting my 'screen' even though I expect all TCP traffic to be blocked by the stateless filter.

     

     



  • 5.  RE: Traffic making it past stateless filters
    Best Answer

    Posted 08-10-2012 16:03

    Hi can you try the following and check the filter again?

     

    term 20-block_tcp {
                from {
                    protocol tcp;
                    tcp-initial;
                }
                then {
                    count tcp-attempts;
                    discard;
                }
            }

     



  • 6.  RE: Traffic making it past stateless filters

     
    Posted 08-10-2012 18:53

    Thanks, that seems to work a lot better.  Why is just 'protocol tcp' not enough?  Now that I have 'tcp-initial' configured, do I need separate rules with other tcp-flags configured to block those as well?



  • 7.  RE: Traffic making it past stateless filters

    Posted 08-11-2012 03:34

    Good question, I am mobile at the minute and cannot get you a 100% answer but I'm pretty sure the Flags, tcip-initial or port etc etc must be specified when using protocol tcp; in a filter as above.

     

    tcp-initial is a term used for the bits "(syn & !ack)".

     

    You can use one rule with logical operators to specify a variety of tcp flags such as:

     

     

    user@srx#set firewall family inet filter myfilter term term1 from tcp-flags "(syn & !ack) | fin | rst"

     

    Have a read here:

     

    http://www.juniper.net/techpubs/en_US/junos10.0/topics/reference/requirements/firewall-filter-ex-series-match-conditions.html