Switching

last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  How do I block port 25 on EX4600

    Posted 05-01-2017 10:35

    We need to block traffic on one switch port, from port 25 smtp.

    What is the best way to accomplish this task.?

    I could go into Security and Filters to create it.

     

     

     

     

    Thanks



  • 2.  RE: How do I block port 25 on EX4600

    Posted 05-01-2017 11:21
    I'd say firewall filter , but I don't see that 4600 support firewall filters :
    https://www.juniper.net/techpubs/en_US/junos/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html


  • 3.  RE: How do I block port 25 on EX4600

    Posted 05-01-2017 12:22

    I think it does, I will test it soon.

     

    Capture.GIF



  • 4.  RE: How do I block port 25 on EX4600

    Posted 05-01-2017 16:24

    Note that this is a two step process, you create the desired block filter then apply the filter to the port where you want to block the traffic.

     

    Also note that the default action is th block, so be sure to add a final accept term to your filter or you will drop all traffic at the port.



  • 5.  RE: How do I block port 25 on EX4600

    Posted 05-01-2017 17:42

    Andy,

     

    Thanks, I believe I figured it out earlier, but wanted to make sure someone kept me honest.

     

    [edit]
+  firewall {
+      family ethernet-switching {
+          filter BLOCK-25 {
+              term PORT-25-BLOCK {
+                  from {
+                      interface ge-3/0/0.0;
+                      ether-type ipv4;
+                      source-port smtp;
+                      destination-port smtp;
+                      ip-protocol tcp;
+                  }
+                  then discard;
+              }
+          }
+      }
+  }


  • 6.  RE: How do I block port 25 on EX4600

    Posted 05-01-2017 20:49
    @starlog wrote:

    Andy,

     

    Thanks, I believe I figured it out earlier, but wanted to make sure someone kept me honest.

     

    [edit]
+  firewall {
+      family ethernet-switching {
+          filter BLOCK-25 {
+              term PORT-25-BLOCK {
+                  from {
+                      interface ge-3/0/0.0;
+                      ether-type ipv4;
+                      source-port smtp;
+                      destination-port smtp;
+                      ip-protocol tcp;
+                  }
+                  then discard;
+              }
+          }
+      }
+  }

    That would drop all trafic entering the port on which it is applied. You need a secon term to accept all other traffic.

    "Also note that the default action is to block, so be sure to add a final accept term to your filter or you will drop all traffic at the port."

    e.g

    set term allow-all then accept



  • 7.  RE: How do I block port 25 on EX4600

    Posted 05-02-2017 02:38

    In addition to the missing final term, you need to apply this filter to the interface. 

     

    You have added the interface as a criteria here but the filter does not do anything until assigned to an interface in that hierarchi.

     

    set interface ge-3/0/0 input PORT-25-BLOCK

     

    Optionally you can also add count to your block term so you can see a packet count of dropped packets.



  • 8.  RE: How do I block port 25 on EX4600

    Posted 05-02-2017 07:04

    Something like this.?

     

    [edit interfaces ge-3/0/0 unit 0 family ethernet-switching]
+       filter {
+           input BLOCK-25;
+       }
[edit]
+  firewall {
+      family ethernet-switching {
+          filter BLOCK-25 {
+              term PORT-25-BLOCK {
+                  from {
+                      source-port smtp;
+                      destination-port smtp;
+                  }
+                  then discard;
+              }
+              term allow-all {
+                  then accept;
+              }
+          }
+      }
+  }

     

     

    Could I equally add to ge-3/0/0     output BLOCK-25  ?



  • 9.  RE: How do I block port 25 on EX4600

    Posted 05-02-2017 08:43
    That should be OK ..
    This filter will block traffic entering the port (ingress) , so the output filter would be unnecessary .


  • 10.  RE: How do I block port 25 on EX4600
    Best Answer

    Posted 05-02-2017 08:49

    starlog,

     

    Hello! One configuration snippet in particular caught my attention. In your original request you asked to block traffic "from port 25 smtp". In the below configuration, you have a match condition of source-port 25 and destination-port 25.

     

    +              term PORT-25-BLOCK {
+                  from {
+                      source-port smtp;
+                      destination-port smtp;

    According to this article all conditions in the from stanza must be met to match and execute the then statement. If your intent is to block all traffic sourcing from port 25 then you should only use source-port smtp. If you are attempting to block communications destined to port 25 you should use destination-port smtp. If you want either or, try using the port match condition.

     

    All in all, if your original ask is to block traffic from port 25, the below configuration should meet your needs.

     

    set firewall family ethernet-switching filter BLOCK-25 term BLOCK-SMTP from source-port smtp
set firewall family ethernet-switching filter BLOCK-25 term BLOCK-SMTP then discard
set firewall family ethernet-switching filter BLOCK-25 term BLOCK-SMTP then log
set firewall family ethernet-switching filter BLOCK-25 term PERMIT-ANY then accept
    set interfaces ge-3/0/0.0 family ethernet-switching filter input BLOCK-25