SRX

Hello Guys,

Someone help?

I have one filter in SRX240 allowing just some public IP address able to ping my untrust zone (my public IP address).This is working fine.

When I applied this filter, the ping from zone trust (lan->internet maybe 8.8.8.8) stoped

Follow my filter:

set firewall family inet filter [filter_bla_bla] term 1 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 1 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 1 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 1 from protocol tcp
set firewall family inet filter [filter_bla_bla] term 1 from destination-port ssh
set firewall family inet filter [filter_bla_bla] term 1 then accept
set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 2 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 2 then accept
set firewall family inet filter [filter_bla_bla] term 3 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 3 from protocol tcp
set firewall family inet filter [filter_bla_bla] term 3 from destination-port ssh
set firewall family inet filter [filter_bla_bla] term 3 then reject
set firewall family inet filter [filter_bla_bla] term 4 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 4 from protocol icmp6
set firewall family inet filter [filter_bla_bla] term 4 then reject
set firewall family inet filter [filter_bla_bla] term default then accept
set interfaces ge-0/0/9 unit 0 family inet filter input [filter_bla_bla]
set security zones security-zone untrust interfaces ge-0/0/9.0 host-inbound-traffic system-services ping

Someone help?

Thank you all

Hi,

The term 4 seems to be blocking the pings.

Please deacvtivate the term 4 and then test again, it should work.

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi sahilsha

The term 4 is reject the ping from another IP address. I've allow the specific IP address, this term 4 is to drop the connection from other IP that is not listed.

Thank you

Hi,

Your term 2 is as follows :-

set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 2 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 2 then accept

Do these [pulic ip] in the source-address have 8.8.8.8 ?

If not, the term 2 would not be hit when icmp echo replies are coming from 8.8.8.8 to your public IP, would hit the term 4 and get dropped.

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi, 

Assuming you are using source-nat to nat from LAN to Internet, is it being NAT on the interface?

If yes, you could add the matching condition "from destination-address [mypublic ip] to the additional term 2_1, otherwise the comprehensive filter would have to be something like this with additional term 2_1: 

set firewall family inet filter [filter_bla_bla] term 1 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 1 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 1 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 1 from protocol tcp
set firewall family inet filter [filter_bla_bla] term 1 from destination-port ssh
set firewall family inet filter [filter_bla_bla] term 1 then accept
set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 2 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 2 then accept
set firewall family inet filter [filter_bla_bla] term 2_1 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 2_1 from icmp-type echo-reply
set firewall family inet filter [filter_bla_bla] term 2_1 then accept
set firewall family inet filter [filter_bla_bla] term 3 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 3 from protocol tcp
set firewall family inet filter [filter_bla_bla] term 3 from destination-port ssh
set firewall family inet filter [filter_bla_bla] term 3 then reject
set firewall family inet filter [filter_bla_bla] term 4 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 4 from protocol icmp6
set firewall family inet filter [filter_bla_bla] term 4 then reject
set firewall family inet filter [filter_bla_bla] term default then accept

If there is a dedicated NAT pool, you could add the "from destination-prefix-list NAT-pool" for example.

Term 2_1 would have to be before term 4 at least.

Cheers,

Ashvin

Hi Guys!
Thanks for all repply.
The question is, The firewall do not have policies to drop any connections, The rules are just for VPN.
I need allow only specific address can ping in my public IP Address.
The filter are working to this, but the ping stoped from internal LAN to Internet.
I believe that the problem is not in the NAT, because when I remove the filter the ping working fine.

Hi, 

How does your LAN traffic reach the Internet? Is there any NAT and what is the NAT pool, is it the interface or a separate NAT pool?

ping from LAN to Internet stopped most probably because return icmp packets [echo replies] are not reaching back the LAN hosts [term 4].

Adding a term to allow "icmp-type echo-reply" will still not allow any hosts to ping the public IP interface as a host trying to ping the public IP interface would send an icmp echo-request, and normally an icmp echo-reply would be sent back as reply.

As such, you could as well implement output filters to block outgoing echo-replies or other icmp-types used for reconnaissance such as timestamp-reply, mask-reply, info-reply etc from leaving the public IP interface.

For the LAN hosts to be able to ping Internet, the return ICMP packets need to be allowed through.

Cheers,

Ashvin

Hey guys, I´m Back

I got the solution to this case.

The problem was the reply and icmp session.

I did the comand "set security flow sync-icmp-session" because this command do not inspection the reply, when I start the ping from Lan (trust), the reply is coming in the same session and I configured the icmp-request to drop all connections from internet.
With the session opened the reply will not dropped

The secret was the command to allow the icmp inspection and drop the ICMP-Request in the term 4

Tks for everyone that helped me

set firewall family inet filter bla bla term 4 from protocol icmp
set firewall family inet filter bla bla term 4 from protocol icmp6
set firewall family inet filter bla bla term 4 from icmp-type echo-request
set firewall family inet filter bla blaterm 4 then reject

set security flow sync-icmp-session

By applying the filter to the interface you affect ALL traffic that crosses the interface, not just the self traffic for the SRX.  Thus the return pings for any internet address are also blocked.

Another approach would be to use security policy for the junos host zone which then applies only to traffic with a destination address of the SRX.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

Hi, 

You could as well allow selected icmp-types in the firewall filter if the objective is to filter icmp traffic to that interface.

For instance, allow icmp-type echo-reply which will allow all return icmp echo-reply packets.

set firewall family inet filter [filter_bla_bla] term 2_1 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 2_1 from icmp-type echo-reply
set firewall family inet filter [filter_bla_bla] term 2_1 then accept

However, firewall filters are stateless filtering while the SRX security policies are stateful.

With security policies you would not have to worry about explicitly allowing return traffic.

Cheers,

Ashvin

HI Ashvin0,

I did, but is not working:

set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from source-address [public ip]
set firewall family inet filter [filter_bla_bla] term 2 from destination-address [my public ip]
set firewall family inet filter [filter_bla_bla] term 2 from protocol icmp
set firewall family inet filter [filter_bla_bla] term 2 from icmp-type echo-reply
set firewall family inet filter [filter_bla_bla] term 2 then accept

When I did commit confirmed 2 (for example), my ping from lan to internet stoped

Reply from 8.8.8.8: bytes=32 time=10ms TTL=57
Reply from 8.8.8.8: bytes=32 time=10ms TTL=57
Reply from 8.8.8.8: bytes=32 time=10ms TTL=57
Reply from 8.8.8.8: bytes=32 time=10ms TTL=57
Reply from 192.168.24.1: Destination net unreachable.
Reply from 192.168.24.1: Destination net unreachable.
Reply from 192.168.24.1: Destination net unreachable.
Reply from 192.168.24.1: Destination net unreachable.

Someone have another idea?

By the way, the firewall rules are any any, I mean, I don´t have policy to drop this connection. The policy is not a problem.