Ethernet Switching
Highlighted
Ethernet Switching

Firewall filter to restrict traffic for one interface

‎08-08-2016 01:31 PM

Hello,
I have an EX2200 (12.3R6.6), and I'm trying to create a firewall filter that will restrict inbound and outbound traffic for ge-0/0/5 to specific source/destination addresses. This is for an old NAS that holds replicated backups, and it does not have built-in functionality for access control lists.

 

I tried following the procedure listed here: http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/firewall-filter-ex-se...

 

I created a firewall filter for the ethernet-switching family, and I added one term to accept traffic from a single IP address:

 

{master:0}[edit firewall family ethernet-switching]
user@SWITCH# show
filter NAS-Inbound {
term NAS-Inbound-Allow {
from {
source-address {
192.168.1.66/32;
      }
    }
  }
}

 

Then I applied the firewall filter to the input of ge-0/0/5:

 

{master:0}[edit interfaces ge-0/0/5 unit 0 family ethernet-switching]
user@SWITCH# show
port-mode access;
vlan {
members VLAN2;
}
filter {
input NAS-Inbound;
}

 

After I commit the change, I cannot ping the NAS from anywhere on our network, even from the IP address that the rule should allow. That IP address is on the same VLAN as the NAS. If I remove that filter from ge-0/0/5, I can ping the NAS. I tried specifying "set then accept" to the NAS-Inbound-Allow term, and then I applied the filter to ge-0/0/5 again, but then I still can't ping the NAS. When the filter is applied, the NAS becomes unreachable.

 

I want the filter to apply only to ge-0/0/5 instead of VLAN2, if possible. What am I doing incorrectly?

 

Thank you.

15 REPLIES 15
Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-08-2016 01:54 PM

I think you miss "then accept" in the term:

 

jh@switch# show firewall family ethernet-switching
filter test {
    term test {
        from {
            source-address {
                192.168.1.66/32;
            }
        }
        then accept;
    }
}

Please update your configuration and try again 🙂


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-08-2016 02:52 PM

Hi,

 

The default action if no action is explicitly stated in a term of the filter is accept.

"If the packet matches all the conditions, and no action is specified in the then statement, the default action accept is taken."

http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/firewall-filter-ex-series-evalua...

 

Can you share what is connected to ge-0/0/5. Is it the NAS?

If yes, it might be that the firewall filter is configured in the opposite direction of the traffic. You could have 2 options if that is the case:

1.  Apply the firewall filter in output direction

filter {
output filter-name;
}

I believe with EX switches, filters can be applied in only 1 direction at a time.

 

2. Change the matching condition to destination-address instead of source-address:

from {
destination-address {
192.168.1.66/32;
      }
    }

To be explicit with the firewall filter config, I would suggest adding the accept terminating action and 'count'. The count will enable you to see whether packets have matched this term.

 

Cheers,
Ashvin

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-08-2016 11:19 PM

HI 

 

As some one mentioned below by defalt the action is to discard. Hence please add the next action to the filter.

 

Meaning

 

user@SWITCH# show
filter NAS-Inbound {
term NAS-Inbound-Allow {
from {
source-address {
192.168.1.66/32;
}
then
accept
}
}
}

 

Once you do this all other traffic would be discarded and only the ones with source IP 192.168.1.66 would be accepted.

 

Thanks

Partha

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-09-2016 01:38 AM

Hi,

 

Just wish to clear some doubts.

_____________________________________________

by defalt the action is to discard

_____________________________________________

The default action in a term, i,e if no action is specified, is accept.

http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/firewall-filter-ex-series-evalua...

 

The implicit rule however is implicit discard for firewall filters.

The issue here is certainly not the missing accept action. Quoting:

' I tried specifying "set then accept" to the NAS-Inbound-Allow term, and then I applied the filter to ge-0/0/5 again, but then I still can't ping the NAS'

 

Cheers,

Ashvin

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-10-2016 02:02 AM

Hi 

 

 

try to add term  :

 

from {
destination-address {
192.168.1.66/32;
      }

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

[ Edited ]
‎08-11-2016 11:18 AM

@jonashauge wrote:

I think you miss "then accept" in the term:

 

jh@switch# show firewall family ethernet-switching
filter test {
    term test {
        from {
            source-address {
                192.168.1.66/32;
            }
        }
        then accept;
    }
}

Please update your configuration and try again 🙂



I already said in the original post that I had tried this.

 

"I tried specifying "set then accept" to the NAS-Inbound-Allow term, and then I applied the filter to ge-0/0/5 again, but then I still can't ping the NAS. When the filter is applied, the NAS becomes unreachable."

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-11-2016 11:20 AM

ge-0/0/5 is the NAS.

 

I have tried using both input (set from source-address 192.168.1.66/32) and output filters (set from destination-address 192.168.1.66/32).  Whenever one of those filters is applied to ge-0/0/5, the NAS on that interface loses connectivity.

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

[ Edited ]
‎08-11-2016 11:57 AM

Hi,

 

I meant either Option 1 or Option 2, i.e

Option 1:

 

firewall {
	family ethernet-switching {
		filter NAS-Filter-out {
			term NAS-Filter-Allow {
				from {
					source-address {
						192.168.1.66/32;
					}
				}
then {
accept;
count NAS-out;
} } } } } interfaces { ge-0/0/5 { unit 0 { family ethernet-switching { filter { output NAS-Filter-out; } } } } }

Or Option 2:

 

 

firewall {
	family ethernet-switching {
		filter NAS-Filter-In {
			term NAS-Filter-Allow {
				from {
					destination-address {
						192.168.1.66/32;
					}
				}
then {
accept;
count NAS-in;
} } } } } interfaces { ge-0/0/5 { unit 0 { family ethernet-switching { filter { input NAS-Filter-In; } } } } }

Could you try either of those options.

 

 

Cheers,

Ashvin

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-12-2016 01:18 PM

I meant that I have already tried both Option 1 and Option 2 separately.  Whenever one of those filters is applied to ge-0/0/5, all traffic to through ge-/0/05 stops.

 


@AshvinO wrote:

Hi,

 

I meant either Option 1 or Option 2, i.e

Option 1:

 

firewall {
	family ethernet-switching {
		filter NAS-Filter-out {
			term NAS-Filter-Allow {
				from {
					source-address {
						192.168.1.66/32;
					}
				}
then {
accept;
count NAS-out;
} } } } } interfaces { ge-0/0/5 { unit 0 { family ethernet-switching { filter { output NAS-Filter-out; } } } } }

Or Option 2:

 

 

firewall {
	family ethernet-switching {
		filter NAS-Filter-In {
			term NAS-Filter-Allow {
				from {
					destination-address {
						192.168.1.66/32;
					}
				}
then {
accept;
count NAS-in;
} } } } } interfaces { ge-0/0/5 { unit 0 { family ethernet-switching { filter { input NAS-Filter-In; } } } } }

Could you try either of those options.

 

 

Cheers,

Ashvin


 

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-14-2016 02:12 AM

Hi,

 

What is the IP address of the NAS connected to ge-0/0/5? Is it 192.168.1.66?

Could you share the output of "show firewall filter xxx" when the filter with the count is applied.

To troubleshoot this, I would suggest adding a term to reject, count and log and use "show firewall log" to identify blocked traffic.

 

Cheers,

Ashvin

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-15-2016 07:28 AM

192.168.1.66 is the address of a server that needs to access the NAS.  The NAS is connected to ge-0/0/5 and is on the same VLAN as 192.168.1.66. 

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-15-2016 07:51 AM

I added a counter to the firewall filter like so:

 

filter NAS-Inbound {
    term NAS-Inbound-Allow {
        from {
            source-address {
                192.168.1.66/32;
            }
        }
        then {
            accept;
            count NAS-Inbound-Allowed;
        }
    }
}

 

I added the filter to ge-0/0/5 and verified that it was configured for the interface:

{master:0}[edit interfaces ge-0/0/5 unit 0 family ethernet-switching]
USER@SWITCH# show
port-mode access;
vlan {
    members VLAN2;
}
filter {
    input NAS-Inbound;
}

When I tried to commit the config, I got an error:  "Referenced filter 'NAS-Inbound' can not be used as count not supported on ingress"

USER@SWITCH# commit
[edit interfaces ge-0/0/5 unit 0 family ethernet-switching]
  'filter'
    Referenced filter 'NAS-Inbound' can not be used as count not supported on ingress
error: configuration check-out failed

I added a counter to the output filter and applying the output filter to ge-0/0/5, but I received the same error when I tried to commit the config.  I cannot apply the filters to ge-0/0/5 when a counter is present.

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-15-2016 08:06 AM

Hi,

The filter with match condition source-address 192.168.1.66 should be applied as output filter for it to work. Please check Option 1.

You could try using match address 192.168.1.66/32 to avoid confusion:

Possible completions:
> address              Match IP source or destination address

firewall {
	family ethernet-switching {
		filter NAS-Filter {
			term NAS-Filter-Allow {
				from {
					address {
						192.168.1.66/32;
					}
				}
                                then {
                                        accept;
                                }
			}
		}
	}
}
interfaces {
	ge-0/0/5 {
		unit 0 {
			family ethernet-switching {
				filter {
					input NAS-Filter;
				}
			}
		}
	}
}

Cheers,

Ashvin

Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-16-2016 08:59 AM

@AshvinO wrote:

Hi,

The filter with match condition source-address 192.168.1.66 should be applied as output filter for it to work. Please check Option 1.

You could try using match address 192.168.1.66/32 to avoid confusion:

Possible completions:
> address              Match IP source or destination address

firewall {
	family ethernet-switching {
		filter NAS-Filter {
			term NAS-Filter-Allow {
				from {
					address {
						192.168.1.66/32;
					}
				}
                                then {
                                        accept;
                                }
			}
		}
	}
}
interfaces {
	ge-0/0/5 {
		unit 0 {
			family ethernet-switching {
				filter {
					input NAS-Filter;
				}
			}
		}
	}
}

Cheers,

Ashvin


You're saying to specify 192.168.1.66/32 as the source- address for an output filter, but that is backwards.  An output filter is for traffic going out of an interface, so it should use destination-address.  Likewise, the input filter should use source-address.  That is how Juniper explains the filter terms here:

 

http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/firewall-filter-ex-se...

 

Here are the relevant code snippets from the Juniper KB:

 

[edit firewall family ethernet-switching filter ingress-port-filter term term-one]
user@switch# set from source-address 192.0.2.14
user@switch# set from source-port 80

[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-filter

They use source-address for input filters.

 

Also, "address" is not a valid entry for the "from" designation on the EX2200.  If I want the filter to apply to an address, I must specify either destination-address or source-address.

 

USER@SWITCH# set from ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Match IP destination address
> destination-mac-address  Match MAC destination address
+ destination-port     Match TCP/UDP destination port
> destination-prefix-list  Match IP destination prefixes in named list
+ dot1q-tag            Match Dot1Q Tag Value
+ dot1q-user-priority  Match Dot1Q user priority
+ dscp                 Match Differentiated Services (DiffServ) code point
+ ether-type           Match Ethernet Type
  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type
> interface            Match interface name
> interface-set        Match interface in set
> ip-version           Define IP version
  is-fragment          Match if packet is a fragment
+ l2-encap-type        Match Ethernet Encapsulation Type
+ precedence           Match IP precedence value
+ protocol             Match IP protocol type
> source-address       Match IP source address
> source-mac-address   Match MAC source address
+ source-port          Match TCP/UDP source port
> source-prefix-list   Match IP source prefixes in named list
  tcp-established      Match packet of an established TCP connection
  tcp-flags            Match TCP flags (in symbolic or hex formats)
  tcp-initial          Match initial packet of a TCP connection
+ vlan                 Match Vlan Id or Name

If I try to enter "set from address," the configuration is seen as unsupported.

{master:0}[edit firewall family ethernet-switching filter NAS-Outbound term NAS-Outbound-Allow]
USER@SWITCH# show
from {
    ##
    ## Warning: configuration block ignored: unsupported platform (ex2200-48t-4g)
    ##
    address {
        192.168.1.66/32;
    }
}
Highlighted
Ethernet Switching

Re: Firewall filter to restrict traffic for one interface

‎08-16-2016 09:34 AM

Hi, 

______________________________________________________________________________________________

You're saying to specify 192.168.1.66/32 as the source- address for an output filter, but that is backwards.  An output filter is for traffic going out of an interface, so it should use destination-address.  Likewise, the input filter should use source-address. 

______________________________________________________________________________________________

The filter should be viewed from the perspective of the interface it is being applied on. An output filter is indeed for traffic going out of an interface, likewise an input filter is for traffic coming into an interface.

source-address & destination-address are matching conditions used in the filter, which basically inspects the packet going through that interface [In or out depending on direction filter is applied].

 

If matching condition is 'from source-address', the filter will look at Src IP address field in the IP header.

Similarly, if matching condition is 'from destination-address', the filter will look at Dst IP address field in the IP header.

 

Assuming NAS has an IP address 192.168.1.65, packets from the NAS to 192.168.1.66 coming into port ge-0/0/5 [input filter] will have IP headers:

Src IP: 192.168.1.65, Dst IP: 192.168.1.66.

NAS-Inbound Filter evaluation: 

if src ip == 192.168.1.66/32 -> accept [Result = False]
Else -> reject

This is why your initial NAS-Inbound filter was blocking all traffic.

 

Proposed Option 2 Filter evaluation:

if dst ip == 192.168.1.66/32 -> accept [Result = True]
Else -> Reject

This should work.

 

An input or output filter should be able to use any of the matching conditions you listed.

A filter can have a combination of matching conditions as well. Example:

from {
  source-address x.x.x.x/x;
  destination-address y.y.y.y/y;
  ......
}

That allows the term provide more granular filtering as the different matching conditions are logical ANDs.

 

Would suggest if you could try again either Option 1 or Option2.

 

With regards to Option 1 or Option 2, there are considerations whether to apply input or output filter depending on the requirement of what is being protected/secured. If the NAS is the device that is being secured, an input filter on ge-0/0/5 will block outgoing traffic from the NAS [could be traffic originated from NAS or reply packets].

If an output filter is applied, any traffic intended to the NAS except the listed IPs in the filter will be blocked. Say for instance a DoS attack is targeting the NAS, an output filter on ge-0/0/5 is more effective.

 

Hope this helps.

 

Cheers,

Ashvin 

Feedback