SRX Services Gateway
Highlighted
SRX Services Gateway

Firewall filter to block NTP traffic towards vlan ip

‎10-07-2015 06:56 AM

Here is the configuration to block NTP towards 10.16.16.0/24 subnet.

set interfaces vlan unit 16 family inet filter output NTP
set firewall family inet filter NTP term allow-ntp from source-address 10.11.12.15/32
set firewall family inet filter NTP term allow-ntp from source-address 10.11.12.16/32
set firewall family inet filter NTP term allow-ntp from protocol udp
set firewall family inet filter NTP term allow-ntp then accept
set firewall family inet filter NTP term block-ntp from destination-address 10.16.16.0/24
set firewall family inet filter NTP term block-ntp from protocol udp
set firewall family inet filter NTP term block-ntp from destination-port ntp
set firewall family inet filter NTP term block-ntp then discard
set firewall family inet filter NTP term default then accept


show interfaces terse vlan.16
Interface               Admin Link Proto    Local                 Remote
vlan.16                 up    up   inet     10.16.16.1/24


show interfaces terse vlan.12
Interface               Admin Link Proto    Local                 Remote
vlan.12                 up    up   inet     10.11.12.1/24

I'm testing using nmap from 10.11.12.20 for port 123 on devices in 10.16.16.0/24 subnet, everything is working fine
as expected but for my device IP (i.e.10.16.16.1) nmap is showing port 123 as not filtered, whereas it is expected to show as filtered.

Eg: (Expected)
PORT    STATE         SERVICE
123/udp open|filtered ntp

Issue:
PORT    STATE         SERVICE
123/udp open              ntp


Thanks for any inputs.

Regards,
Chandu

3 REPLIES 3
SRX Services Gateway

Re: Firewall filter to block NTP traffic towards vlan ip

‎10-07-2015 08:27 AM

Hi,

 

Pretty sure as your filter is on the output it is never getting hit with traffic destined to the box itself (10.16.16.1).  Once the forward lookup happens, this traffic will get sent to the Routing Engine instead of being passed by the PFE and then your processed by your output filter.

 

Try applying it as an input on vlan.12 as a quick test.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: Firewall filter to block NTP traffic towards vlan ip

[ Edited ]
‎10-07-2015 08:22 PM

Try applying it as an input on vlan.12 as a quick test.

>> I've some 40-45 VLANS through which the traffic can come from and to vlan.16 for the mentioned port. So according to your input i should i apply it on all those VLANs.

 

Would there be any global policy to assist with this? The device is ex-2200 switch acting as a router.

 

Thanks in advance for any inputs.

 

Regards,

Chandu

Highlighted
SRX Services Gateway

Re: Firewall filter to block NTP traffic towards vlan ip

[ Edited ]
‎10-07-2015 10:20 PM

Hi,

Have a look at the loopback interface or the junos-host zone.

http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-stateless-basic-...

http://forums.juniper.net/t5/SRX-Services-Gateway/JUNOS-HOST-zone-vs-lo0-filter/td-p/146916

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Feedback