Junos
Highlighted
Junos

Management ACL

‎08-21-2019 05:25 AM

Hey Guys,

 

I am having a little issue restricting managment traffic. This if for a MX104 Software version 13.3R9.13. Here is a snippet of my ACL config attached to the loopback interface. 

 

set interfaces lo0 unit 0 family inet filter input MGMT

set policy-options prefix-list MGMT_Net x.x.x.x24
set policy-options prefix-list MGMT_Net x.x.x.x/24

set firewall family inet filter MGMT term T1 from source-prefix-list MGMT_Net except
set firewall family inet filter MGMT term T1 from destination-port ssh
set firewall family inet filter MGMT term T1 from destination-port https
set firewall family inet filter MGMT term T1 from destination-port telnet
set firewall family inet filter MGMT term T1 from destination-port http
set firewall family inet filter MGMT term T1 then discard
set firewall family inet filter MGMT term accept_everything_else then accept

 

 

I am new to Juniper (long time cisco guy), so forgive my ignorance.

 

Thanks,

 

Matt

4 REPLIES 4
Highlighted
Junos
Solution
Accepted by topic author Juniper_Idiot
‎08-26-2019 04:44 AM

Re: Management ACL

‎08-21-2019 05:59 AM

Hi Matt,

 

When using the term except, I think a wider set has to be defined out of which you except a smaller subset.

 

Please try the below config and let me know if it works.

set interfaces lo0 unit 0 family inet filter input MGMT

set firewall family inet filter MGMT term T1 from source-address x.x.x.x/24 except

set firewall family inet filter MGMT term T1 from source-address x.x.x.x/24 except

set firewall family inet filter MGMT term T1 from source-address 0.0.0.0/0
set firewall family inet filter MGMT term T1 from destination-port ssh
set firewall family inet filter MGMT term T1 from destination-port https
set firewall family inet filter MGMT term T1 from destination-port telnet
set firewall family inet filter MGMT term T1 from destination-port http
set firewall family inet filter MGMT term T1 then discard
set firewall family inet filter MGMT term accept_everything_else then accept

 

Instead of prefix-list, try adding both the subnets individually to the filter.

 

Thanks and Regards,

Pradeep Kumar.

Highlighted
Junos

Re: Management ACL

‎08-21-2019 06:21 AM

Thank you so much for your reply. Adding the following seems to have done the trick.

 

set firewall family inet filter MGMT term T1 from source-address 0.0.0.0/0

 

I was able to keep the prefix list though. I like the idea of modifying a prefix list versus the filter directly. Do you mind elaborating a little bit, because my understanding of the except keyword was to basically invert whatever IP you pass to it.

 

Thanks Again,

 

Matt

Highlighted
Junos

Re: Management ACL

‎08-21-2019 09:01 AM

Hi Matt,

 

As you have already tried, it works with prefix list as well. Suggested to try source-address instead of prefix-list to help understand better. Also your understanding of the keyword except is also correct just that you also should define the address set from which you would like to invert the selection of IP's.

 

Please read through the examples at https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-match-con... for further understanding. When you just mention the prefix-list, all other addresses implicitly do not match this condition.

 

Instead of using except and discard in combination, the below config serves the same purpose.

 

set interfaces lo0 unit 0 family inet filter input MGMT

set policy-options prefix-list MGMT_Net x.x.x.x24
set policy-options prefix-list MGMT_Net x.x.x.x/24

set firewall family inet filter MGMT term T1 from source-prefix-list MGMT_Net

set firewall family inet filter MGMT term T1 then accept
set firewall family inet filter MGMT term T2 from destination-port ssh
set firewall family inet filter MGMT term T2 from destination-port https
set firewall family inet filter MGMT term T2 from destination-port telnet
set firewall family inet filter MGMT term T2 from destination-port http

set firewall family inet filter MGMT term T2 then discard
set firewall family inet filter MGMT term accept_everything_else then accept

 

T1 -> Allows all traffic for the selected prefix list, for the rest of the IP's T2 will block the ports mentioned and accept_everything_else accepts rest of the traffic for all the IP's.

 

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Highlighted
Junos

Re: Management ACL

‎08-21-2019 11:05 AM

Hi! 

 

     Can you please confirm that the prefexes MGMT_Net contains set of IPs that you want to allow or restrict ?? 

 

     What you have configured should basically allow hosts in MGMT_Net to do ssh,telnet,http, https to the MX104. And should restrict others.

 

Here is an example for the same for same (example is to allow bgp port 179 traffic) : https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-p...

 

     If you want to restrict traffic from MGMT_Net then just remove "except" and you will start restricting traffic from MGMT_Net.

 

Regards

Arpit