SRX Services Gateway
Highlighted
SRX Services Gateway

Ping allowed to the proxy-arp addresses.

‎01-07-2010 01:31 PM

Hello, i have 3 public ip address that respond to echo request (ping) and i don't wan't to allow it. I don't have configured the host-inbound-traffic for the Zone neither for the interface, it only blocks the ping request that come to the ip address of the interface itself but not on the proxy-arp address defined in the security nat hierchie.

 

# show security zones security-zone WAN


interfaces {
    ge-0/0/3;
 }

 

the ip address of the interface itself deny the ping request, but the others ip address doenst Smiley Sad, any ideas?

LT
4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Ping allowed to the proxy-arp addresses.

‎01-07-2010 03:35 PM

Hi

 

You can use firewall filters and tie it to lo0 address. Here is sample from my setup:

 

[edit]
root@srxa07_29# show firewall
family inet {
    filter test {
        term 1 {
            from {
                destination-address {
                    <IP of the proxy-arp IP/32>;
                }
                protocol icmp;
            }
            then {
                discard;
            }
        }
        term 2 {
            then accept;
        }
    }
}

 

Then tie this filter onto the input for lo0:

[edit]
root@srxa07_29# show interfaces lo0
unit 0 {
    family inet {
            filter {
            input test;
        }

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Highlighted
SRX Services Gateway
Solution
Accepted by topic author layard
‎08-26-2015 01:27 AM

Re: Ping allowed to the proxy-arp addresses.

‎01-08-2010 05:34 AM

That's what i did and it worked to me:

 

### I configured a firewall filter to block echo requests. ####

firewall {
    family inet {

        filter Block-ping {
               term block {
                    from {
                         icmp-type echo-request;
                }
                   then {
                      discard;
                }
            }
                term default {
                then accept;
            }
        }

    }

}

 

#### Then I applied the filter to the interface. ###

 

 ge-0/0/3 {
        unit 0 {
            family inet {
                filter {
                    input Block-ping;
                }

 address <my public ip address>/29;
            }
        }
    }

 

Smiley Very Happy

LT
Highlighted
SRX Services Gateway

Re: Ping allowed to the proxy-arp addresses.

‎08-25-2017 08:29 AM

I know this is bringing up an old topic, but this was an issue I came across recently and this was about the only post I found from the Googles.

I had some proxy-arp IP's responding, while others were not. From traceoptions I see that the IP's not responding were not repsonding because of a source nat pool. So in order to keep the other IP's from responding I created a source pool with the address. You don't need to place a source nat rule, just create the pool.

 

Hope this helps others out in the future. 

Kudos are cool!
Highlighted
SRX Services Gateway

Re: Ping allowed to the proxy-arp addresses.

‎08-25-2017 06:23 PM
Dhcp carries ping too I think.