Switching

I am apparently no good with these firewall filters.  I’m having problems with a very simple task.

All I want to do is have a filter that will only allow the Guest VLAN to use DNS, http, and https (udp/tcp ports 53,80,443).

I created a filter that I thought would do that, but every time it is applied to the guest vlan, it hoses.

This is the filter:

family ethernet-switching {

    filter Guest54_Web {

        term Guest54_To_Web {

            from {

                protocol [ tcp udp ];

                destination-port [ 53 80 443 ];

            }

            then accept;

        }

    }

First I go to a system on the Guest vlan verify internet works.

Then apply it to the guest vlan with:

set vlans Guest54 filter output Guest54_Web

Then:

commit confirmed 5.

After the commit, I’ve killed the traffic on the guest vlan.

Can someone tell me what I’m doing wrong?

Hi,

Are you trying to apply this at Layer 2?  I prefer to apply guest access to the VLAN.  Try this.

set firewall family inet filter Guest54_Web term 1 from destination-port domain destination-port http destination-port https

set firewall family inet filter Guest54_Web term 1 then accept

set firewall family inet filter Guest54_Web term 2 then log discard

set vlans Guest54 filter input Guest54_Web

Let me know how your testing goes.

-John

Hello,

Is your return traffic passing thru Guest VLAN as well?

If yes I think You forgot to take care of "from-internet" traffic. Remember, JUNOS FW filter has implicit "deny any" as very last term.

Try this simple filter (you have to define prefix-list Guest54 yourself):

family ethernet-switching {
    filter Guest54_Web {
        term Guest54_To_Web {
            from {
                protocol [ tcp udp ];
                destination-port [ 53 80 443 ];
                source-prefix-list Guest54;
            }
            then accept;
        }
        term Web_To_Guest54 {
            from {
                protocol [ tcp udp ];
                source-port [ 53 80 443 ];
                destination-prefix-list Guest54;
            }
            then accept;
        }
    }
}

And to not be pedantic, but also this filter  has 2 drawbacks:

1] it permits tcp/53

2] it does not permit fragmented packets

Of course, You can enhance the filter later on when You have it tested and working.

HTH

Regards

Alex

Thanks for the response guys.

firewall72

Which would be better (L2 or L3) for this objective?

My goal is to have the switch only accept basic internet traffic from the guest system and drop everything else.  I don’t care what traffic comes to the guest system.  That is why I thought applying the filter to the vlan output would appropriate.

aarseniev

You mentioned the return traffic.  So even though it is being applied to the vlan ouput, the return is still needed?

I was kind of relying on the implicit deny to drop everything else, but since it was being applied to the output, didn’t think the return info was necessary.

I will give both your suggestions a try and post back the results.

As you can tell, I’m new to these filters, so it may take me while : )

Thanks again for your help.

Both of your suggestions seemed to work well when applied to input.  However, they both failed on output.  (my lack of understanding I’m sure)

I accept two solutions as I wanted too.  So, thought the right thing to do would be to accept aarseniev’s solution since he was in eththernet-switching area.

Thanks you both for your help.

Hello,

This may help

http://www.juniper.net/techpubs/en_US/junos10.2/topics/concept/firewall-filter-ex-series-understanding.html

For Layer 3 (routed and multilayer-switched) unicast packets, the following firewall filter processing points apply:

    * Ingress port firewall filter
    * Ingress VLAN firewall filter (Layer 2 CoS)
    * Ingress router firewall filter (Layer 3 CoS)
    * Egress router firewall filter
    * Egress VLAN firewall filter
   

Are the packets from guest PCs only entering the switch thru Guest54 VLAN, then are routed and exit via another VLAN?

In this case, output FW filter on Guest54 VLAN won't work, You need to rethink the way the FW filter is applied.

HTH

Regards

Alex

Yes.  The packet flow is as you discribe.

Obviously you are correct, but I don't understand why.  After looking at the link you provided, i still have a mental block.

No filter applied to guest vlan input (Ingress).  Only on guest vlan output (Egress).

My brain says anything trying to come into guest vlan...accept.

Anything trying to leave guest vlan...must be tcp / udp port 80 / 443 / 53.

Hello,

When you apply filter on guest VLAN egress/output, in routed VLAN scenario, it only affects packets returning from Internet.

If you want to block internet access only with _output_/_egress_ FW filter on VLAN, you will need to apply it on "internet exit" VLAN on egress/output.

HTH

Regards

Alex

Interesting.

So, for curiosity sake, I applied the original filter that I had created (posted in the first post), and it also worked fine.  I was applying it in the wrong place / direction.  I never thought to try applying it on the input / ingress side of the vlan.

Thanks for helping me get some of the mud out of my head.