SRX Services Gateway
Highlighted
SRX Services Gateway

Traffic making it past stateless filters

08.09.12   |  
‎08-09-2012 11:07 AM

I'm trying to figure out why my SRX3600 is letting traffic pass by the stateless filters.  I've got one filter configured on my interface that's connected to the 'untrust' zone (in my case, the 'out-inet' zone):

 

    ge-0/0/11 {
        description r1:ge-0/1/2;
        enable;
        vlan-tagging;
        unit 1 {
            vlan-id 1;
            family inet {
                mtu 1500;
                filter {
                    input block-common;
                }
                address x.x.x.10/30;
            }
        }
    }

 It's a simple filter:

 

        filter block-common {
            term 0-allow_local {
                from {                  
                    source-prefix-list {
                        ACCESS-common-subnets;
                    }
                }
                then accept;
            }
            term 10-block_common {
                from {
                    protocol udp;
                    destination-port [ 135 137 138 139 445 4444 1433-1434 ];
                }
                then {
                    count common-ports;
                    discard;
                }
            }
            term 20-block_tcp {
                from {
                    protocol tcp;
                }
                then {
                    count tcp-attempts;
                    discard;
                }
            }
            term 1000-implicit_allow {
                then accept;
            }
        }

One of the results of the filter above is that it's supposed to block all TCP traffic, except for that which is coming from IPs configured in my 'ACCESS-common-subnets' prefix-list.  The problem is, I'm still seeing TCP traffic hitting the 'screen' I've configured:

 

1 2012-08-09T13:54:45.745 fw1 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.34 attack-name="Port scan!" source-address="x.x.x.54" source-port="40829" destination-address="x.x.x.1" destination-port="22" source-zone-name="out-inet" interface-name="ge-0/0/11.1" action="drop"]

 I've verified that the IP address is not listed in the prefix-list that has access to bypass this filter.  It's my understanding that the stateless filters are #3 in line for processing, which occurs before passing the packet on to the screen process.  Is there something I'm missing?

 

SRX details: 3600 in a cluster, running 11.2R7.4.

 

6 REPLIES
SRX Services Gateway

Re: Traffic making it past stateless filters

08.10.12   |  
‎08-10-2012 07:33 AM

Hi,

 

You could check this post it might help you

 

http://forums.juniper.net/t5/SRX-Services-Gateway/Default-Deny-on-SRX240/m-p/135335/highlight/true#M...

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: Traffic making it past stateless filters

08.10.12   |  
‎08-10-2012 07:39 AM

I'm not sure how this helps.  That post doesn't appear to be close to the same problem I'm having.

SRX Services Gateway

Re: Traffic making it past stateless filters

08.10.12   |  
‎08-10-2012 10:50 AM

Let me be clearer in what I am trying to accomplish here.

 

I want to block all TCP traffic with the stateless filter, so that it doesn't even reach the screen or even take up any session resources in the firewall.  I also have a 'screen' configured to block various IP and UDP-based attacks, and it happens to still have TCP-based attacks configured, so as to test out the effectiveness of the stateless filter.  I am still seeing TCP traffic hitting my 'screen' even though I expect all TCP traffic to be blocked by the stateless filter.

 

 

SRX Services Gateway

Re: Traffic making it past stateless filters

08.10.12   |  
‎08-10-2012 04:02 PM

Hi can you try the following and check the filter again?

 

term 20-block_tcp {
                from {
                    protocol tcp;
                    tcp-initial;
                }
                then {
                    count tcp-attempts;
                    discard;
                }
            }

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Traffic making it past stateless filters

08.10.12   |  
‎08-10-2012 06:52 PM

Thanks, that seems to work a lot better.  Why is just 'protocol tcp' not enough?  Now that I have 'tcp-initial' configured, do I need separate rules with other tcp-flags configured to block those as well?

SRX Services Gateway

Re: Traffic making it past stateless filters

[ Edited ]
08.11.12   |  
‎08-11-2012 03:34 AM

Good question, I am mobile at the minute and cannot get you a 100% answer but I'm pretty sure the Flags, tcip-initial or port etc etc must be specified when using protocol tcp; in a filter as above.

 

tcp-initial is a term used for the bits "(syn & !ack)".

 

You can use one rule with logical operators to specify a variety of tcp flags such as:

 

 

user@srx#set firewall family inet filter myfilter term term1 from tcp-flags "(syn & !ack) | fin | rst"

 

Have a read here:

 

http://www.juniper.net/techpubs/en_US/junos10.0/topics/reference/requirements/firewall-filter-ex-ser...

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]