SRX Services Gateway
SRX Services Gateway

IP-Blacklist apply to all interface

‎01-12-2017 04:12 PM

Hi all,

 

There are some IP-List with thousands of small subnet i wish to block on all subnet to accessing my gateway to the internet. 

What i want is that, i dont want to see all those subnets in the config otherwise it would be a needle haystack. 

I know that the blocking should be done in the zones/policy or with filter drop on the interfaces. But these will appear in the config. 

 

I want to know if its possible to block all the ip-addresses in a text file?

 

thank you!!!

2 REPLIES 2
SRX Services Gateway

Re: IP-Blacklist apply to all interface

[ Edited ]
‎01-12-2017 11:09 PM

I can help you with this trick. I would say there are options to hide the part of configuration when running the command "show configuration". This can be achieved with a config knob “apply-flags omit” tried with MX box.

 

This will actually omit the hierarchy you want to omit and not seen with show configuration. In your case it would be the firewall or policy [specific to your interest].

 

Simple Example:

 

I would like to hide this part of the config under chassis hierarchy:

 

root# show chassis

aggregated-devices {

    ethernet {

        device-count 2;

    }

}

fpc 0 {

    pic 0 {

        interface-type ge;

        number-of-ports 2;

    }

    lite-mode;

}

 

[edit]

root#

 

Configuration Steps:

[edit]

root# set chassis apply-flags omit           

 

[edit]

root# commit and-quit

commit complete

Exiting configuration mode

 

root>

 

Now we cannot see the content of chassis hierarchy with "show configuration",

 

    syslog {

        user * {

            any emergency;

        }

        file messages {

            any any;

            authorization info;

            archive size 10m files 10;

        }

        file interactive-commands {

            interactive-commands any;

        }

    }

}

chassis { /* OMITTED */ };               <<<<<<<

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 55.55.55.2/30;

            }

        }

    }

}

 

To display configuration statements (including those marked as hidden by the apply-flags omit configuration statement).

root> show configuration | display omit   

<snipped>

chassis {                              

    apply-flags omit;

    aggregated-devices {

        ethernet {

            device-count 2;

        }

    }

    fpc 0 {

        pic 0 {

            interface-type ge;

            number-of-ports 2;

        }

        lite-mode;

    }

}

<snipped>

 

However you can see the configuration with polling the exact hierarchy as below and it will be seen,

 

root> show configuration chassis          

apply-flags omit;

aggregated-devices {

    ethernet {

        device-count 2;

    }

}

fpc 0 {

    pic 0 {

        interface-type ge;

        number-of-ports 2;

    }

    lite-mode;

}

 

root>

 

https://www.juniper.net/documentation/en_US/junos12.3/topics/reference/command-summary/show-pipe-dis...

 

Hopefully it meets your requirement!

 

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
SRX Services Gateway

Re: IP-Blacklist apply to all interface

‎01-15-2017 06:27 PM

Neat trick python!! You could hide the prefix-list and groups or the matians using pythons trick!!!

set groups TKI interfaces <ge-*> unit <*> family inet filter input TK1
set apply-groups TKI

set policy-options prefix-list TK1 15.10.1.0/26
set policy-options prefix-list TK1 16.10.1.0/26
set policy-options prefix-list TK1 168.10.1.0/26

set firewall family inet filter TK1 term 1 from prefix-list TK1
set firewall family inet filter TK1 term 1 then discard
set firewall family inet filter TK1 term 2 then accept

user@srxD300# show interfaces | display inheritance
ge-0/0/0 {
description "MGMT Interface - DO NOT DELETE";
unit 0 {
family inet {
##
## 'filter' was inherited from group 'TKI'
##
filter {
##
## 'input' was inherited from group 'TKI'
## 'TK1' was inherited from group 'TKI'
##
input TK1;
}
address 192.168.1.138/24;
}
}

=================================================

 

set routing-options martians 15.10.1.0/26 exact
set routing-options martians 16.10.1.0/26 exact
set routing-options martians 168.10.1.0/26 exact

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]