SRX

Hi everybody!!

Is it possible to block icmp request (ping) from one PC to others which are in the same vlan, same zone and same subnet on SRX 210. I have tried to apply address book (added this PC to address book) and apply policy (for example: match source address my PC, match destiantion address any, match application [junos-ping, junos-icmp-all.....]

then reject) it works only for public IPs but in my vlan it still pinging. 

If I apply firewall filter on my vlan,  again I can't ping public IPs but able to ping my PCs in vlan....

Tanks in advance 

regards,

this works for me:

set firewall family inet filter icmp term 1 from protocol icmp

set firewall family inet filter icmp term 1 then discard

set firewall family inet filter icmp term 2 then accept

set interfaces vlan unit 2 family inet filter input icmp

I guess you may have missed some config on your firewall filter. This can not be accomplished via policies btw since the PCs are in the same vlan.

thanx for the config but  inpite of firewall filter anyway I can ping my PCs in vlan it only works for public IPs

---

@WL wrote:

this works for me:

set firewall family inet filter icmp term 1 from protocol icmp

set firewall family inet filter icmp term 1 then discard

set firewall family inet filter icmp term 2 then accept

set interfaces vlan unit 2 family inet filter input icmp

 

I guess you may have missed some config on your firewall filter. This can not be accomplished via policies btw since the PCs are in the same vlan.

No, Vadim.

Could you put the filter into vlan configuration?

set vlans qqq filter input qqq

set firewall family inet filter icmp term 1 from protocol icmp

set firewall family inet filter icmp term 1 then discard

set firewall family inet filter icmp term 2 then accept

set interfaces vlan unit 7 family inet address 192.168.100.201/24

set vlans PC vlan-id 7

set vlans PC l3-interface vlan.7

set interfaces vlan unit 7 family inet filter input icmp

that's my config

I don't understand what's wrong

Basic rules of networking I guess...

hosts ARP within the same broadcast domain knows each others  MAC addresses and negotiates directly using only L2 infrastructure (switches lets say), thus this traffic may even never hit router vlan logical or even physical interface and firewall policies doesn't work in this scenario.

Pinging external hosts traffic is directed to default-gateway (srx l3 interface) where firewall rule is configured and icmp is dropped. 

Does not work 

Vadim,

not sure I got that right so let me put it down as I understand:

You have SRX connected to a VLAN, example 10.10.1.0/24. SRX has IP in that subnet, like 10.10.1.1. You have PCs in that same VLAN/subnet and try to block ICMP between those PCs, so you want to effectively block 10.10.1.5 from pinging 10.10.5.6. Right?

This will of course not work because that traffic will never hit the firewall. Even if you have conneted all the PCs directly to the firewall (switching) that traffic won't go through the flow engine. You can't act on inter-subnet traffic. 

You could block that traffic through L2 firewall filters (in principle), but it is

not working on SRX (internal switch has some reduced functionality compared

to EX switches)...

2pk

Is it really unworkable configuration?

set firewall filter qqq term a from protocol icmp

set firewall filter qqq term a then reject

set firewall filter qqq term b then accept

set vlans qqq vlan-id 10

set vlans qqq filter input qqq

/Alex

to sh_:

Quote from AJSEC couseware: "The branch SRX device does not support the configuration of

Layer 2 stateless firewall filters. However, it does support some Layer 2 Ethernet port security"

(Such as 802.1x).