SRX

last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Understanding outbound filter

    Posted 08-05-2014 17:09

    Hi all,

     

    I'm trying to understand how outbound filters work when applied to an interface, in this case ge-0/0/14.0. The filter below works I'm just confused how.

     

    Scenario 

    1. Client from 10.2.20.0/24 range connects to the Proxy Server on 172.16.0.10:3128
    2. Proxy  Server connects to 10.2.20.6 for DNS lookup
    3. Proxy Server requests http or https 

     Question

    For the term proxy-to-dns why isn't Source Address 172.16.0.10 and the destination 10.2.20.6 (Port domain) since the Proxy Server (172.16.0.10) is communicating with the the DNS (10.2.20.6)?

     

    Filter (visual)

    DMZ-out.jpg

     

    Filter

    filter DMZ-out {
            term proxy-clients {
                from {
                    source-address {
                        10.2.20.0/24;
                    }
                    destination-address {
                        172.16.0.10/32;
                    }
                    destination-port [ 3128 ssh ];
                }
                then accept;
            }
            term proxy-to-dns {
                from {
                    source-address {
                        10.2.20.6/32;
                    }
                    destination-address {
                        172.16.0.10/32;
                    }
                    source-port domain;
                }
                then accept;
            }
            term proxy-to-web {
                from {
                    destination-address {
                        172.16.0.10/32;
                    }
                    source-port [ http https ];
                }
                then accept;
            }
        }

    Applied to interface

    ge-0/0/14 {
        unit 0 {
            description DMZ;
            family inet {
                filter {
                    output DMZ-out;
                }
                address 172.16.0.254/24;
            }
        }
    }


  • 2.  RE: Understanding outbound filter
    Best Answer

    Posted 08-05-2014 18:12

    ok..

    From what I can see the filter is matching the reply packet.

    If you look in both cases the source port is a well known port which would imply that this is a reply packet.

    Regards,
    c_r

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too