SRX

Dears, 

I need help to understand a particular active connection in a SRX220h:

admin@CPE-CONICETRIV# run show system connections              
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address                                 Foreign Address                               (state)
tcp4       0      0  168.96.250.10.23                              110.82.104.170.40116                          ESTABLISHED

As i see, its a attemp to connect through telnet. I understand that the traffic of services running on the device, such as telnet, can be controlled using firewall filters on loopback interface, so:

admin@CPE# show interfaces lo0 | display set 
set interfaces lo0 unit 0 family inet filter input acl-l0

admin@CPE# show firewall family inet filter acl-l0 | display set   
set firewall family inet filter acl-l0 term ssh-telnet-OK from source-prefix-list pl-GESTION-OK
set firewall family inet filter acl-l0 term ssh-telnet-OK from protocol tcp
set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port ssh
set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port telnet
set firewall family inet filter acl-l0 term ssh-telnet-OK then accept
set firewall family inet filter acl-l0 term ssh-telnet-DENY from protocol tcp
set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port ssh
set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port telnet
set firewall family inet filter acl-l0 term ssh-telnet-DENY then log
set firewall family inet filter acl-l0 term ssh-telnet-DENY then reject
...
## other terms related to SNMP, BGP, and so on.
...
set firewall family inet filter acl-l0 term default-term then accept


admin@CPE# show policy-options prefix-list pl-GESTION-OK | display set 
set policy-options prefix-list pl-GESTION-OK 10.0.0.0/8
set policy-options prefix-list pl-GESTION-OK 168.96.0.0/16
set policy-options prefix-list pl-GESTION-OK 200.10.202.0/24

As you can see, the IP 110.82.104.170 is not in pl-GESTION-OK, the prefix list with trusted networks., but still appears as a ESTABLISHED telnet connection. There is some wrong configuration or i'm understanding incorrectly the output of "show system connection" command?

Many thanks!

Regards,

Marcelo.

Hi Marcelo,

Thanks for posting your query here.

I looked through teh snippet of your configruation and it looks fine and should work as you expect it i.e. block the telnet connection from a soure not mentioned in the firewall filter.

But somehow this seems to be not working in your case and to investigate on this could you please provide the below information-

• What is the software version running on SRX
• Configruation form the SRX (if possible)
• Flow traceoptions for the traffic which should not be working.

Configruation for Flow traceoptions:-

set security flow traceoptions file Telnet-test size 1m files 5

set security flow traceoptions flag basic-datapath

set security flow traceoptions flag packet-drops

set security flow traceoptions packet-filter pf1 source-address <source_ip> destiantion-address<dest_ip>

set security flow traceoptions packet-filter pf2 source-address <source_ip> destiantion-address<dest_ip> ----- > (This is for tracting the revers traffic so please use NATed Ip addersses for source and destiantion if any)

You can view the above logs with the help of the command "show log Telnet-test".

Awaiting your response.

Thanks and Regards,
Pulkit Bhandari

Hi, 

Just wondering if unit 0 is the only logical unit configured on loopback.

If additional logical units are configured on loopback and used in different routing-instances, each of the logical units should have an equivalent protection firewall filter to protect the RE.

Cheers,

Ashvin

Dears,

Thanks a lot for your replies.

One day after that applie the changes, i stop seeing this entry on "system connections", neither any other entry that were in conflict with the defined firewall filter. However, this is the current config:

set version 12.1X44.3
set system host-name CPE
set system domain-name IRED-red.net
set system time-zone America/Buenos_Aires
set system root-authentication encrypted-password "$1$HQmnl5eZ$/CPQPTtXxyufs1abUgwalh0"
set system name-server 172.16.20..3
set system login user admin uid 2002
set system login user admin class super-user
set system login user admin authentication encrypted-password "$1$Nxg546oG$Q.hdXn8Y3.qqurrxeCG5LT1"
set system services ssh connection-limit 2
set system services ssh rate-limit 1
set system services telnet connection-limit 5
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 192.168.1.2 any info
set system syslog host 192.168.1.2 source-address 10.0.199.5
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "ftp://user:pass@192.168.1.2:21/CPE"
set interfaces ge-0/0/0 description TRUNK-PROVB-ESMD
set interfaces ge-0/0/0 unit 0 description TRUNK-PROVB-ESMD
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CTE-I1-RI
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CTE-QINQ0
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members WAN-GL-BACK
set interfaces ge-0/0/1 description TRUNK-PROVA-GL
set interfaces ge-0/0/1 unit 0 description TRUNK-PROVA-GL
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members WAN-GL-BACK
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members GESTION
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CTE-I1-RI
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members PRUEBA
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CTE-QINQ0
set interfaces ge-0/0/2 description LAN-CTE
set interfaces ge-0/0/2 unit 0 description LAN-CTE
set interfaces ge-0/0/2 unit 0 family inet filter input Pmode
set interfaces ge-0/0/2 unit 0 family inet filter output Pmode
set interfaces ge-0/0/2 unit 0 family inet policer input rl-35m
set interfaces ge-0/0/2 unit 0 family inet policer output rl-35m
set interfaces ge-0/0/2 unit 0 family inet address 192.168.250.10/27
set interfaces ge-0/0/3 description PaP-RVD-GL
set interfaces ge-0/0/3 unit 0 description PaP-RVD-GL
set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members CTE-QINQ0
set interfaces ge-0/0/3 unit 0 family ethernet-switching native-vlan-id 720
set interfaces ge-0/0/4 description PaP-CTE-MCTCBA-1Mbps
set interfaces ge-0/0/4 unit 0 description PaP-CTE-MCTCBA-1Mbps
set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members CTE-MCTCBA
set interfaces ge-0/0/5 unit 0
set interfaces ge-0/0/6 disable
set interfaces ge-0/0/6 unit 0
set interfaces ge-0/0/7 unit 0
set interfaces lo0 unit 0 family inet filter input acl-l0
set interfaces lo0 unit 0 family inet address 10.0.199.4/32
set interfaces vlan unit 502 family inet address 10.0.10.250/29
set interfaces vlan unit 800 family inet filter input-list Pmode
set interfaces vlan unit 800 family inet address 10.0.10.3/29
set snmp community publ1c authorization read-only
set routing-options static route 192.168.1.15/32 next-hop 10.0.10.1
set protocols rsvp disable
set protocols bgp family inet unicast
set protocols bgp local-as 65001
set protocols bgp group IRED type external
set protocols bgp group IRED family inet unicast
set protocols bgp group BBONE type internal
set protocols bgp group BBONE family inet unicast
set protocols bgp group BBONE neighbor 10.0.10.1 description PEER-RI
set protocols bgp group BBONE neighbor 10.0.10.1 local-address 10.0.10.3
set protocols bgp group BBONE neighbor 10.0.10.1 export CTE-export-bgp
set protocols bgp group BBONE neighbor 10.0.10.1 peer-as 65001
set protocols bgp group BBONE neighbor 10.0.10.2 description PEER-INTNET
set protocols bgp group BBONE neighbor 10.0.10.2 local-address 10.0.10.3
set protocols bgp group BBONE neighbor 10.0.10.2 export CTE-export-bgp
set protocols bgp group BBONE neighbor 10.0.10.2 peer-as 65001
set protocols bgp group GL type internal
set protocols bgp group GL family inet unicast
set protocols stp disable
set protocols rstp bridge-priority 8k
set protocols rstp interface ge-0/0/0.0 cost 100
set protocols rstp interface ge-0/0/1.0 cost 150
set protocols rstp interface ge-0/0/3.0 edge
set protocols rstp interface ge-0/0/4.0 edge
set policy-options prefix-list pl-BGP-OK 10.0.0.0/8
set policy-options prefix-list pl-BGP-OK 192.168.0.0/16
set policy-options prefix-list pl-BGP-OK 172.16.20.0/24
set policy-options prefix-list pl-GESTION-OK 10.0.0.0/8
set policy-options prefix-list pl-GESTION-OK 192.168.0.0/16
set policy-options prefix-list pl-GESTION-OK 172.16.20..0/24
set policy-options prefix-list pl-SNMP-OK 192.168.1.0/26
set policy-options prefix-list pl-SNMP-OK 172.16.20..0/26
set policy-options policy-statement CTE-export-bgp term 1 from route-filter 192.168.250.0/27 exact
set policy-options policy-statement CTE-export-bgp term 1 then accept
set policy-options policy-statement CTE-export-bgp term 2 from protocol direct
set policy-options policy-statement CTE-export-bgp term 2 from route-filter 10.0.199.4/32 exact
set policy-options policy-statement CTE-export-bgp term 2 then accept
set policy-options policy-statement CTE-export-bgp then reject
set policy-options policy-statement rm-nada term unico then reject
set security forwarding-options family mpls mode packet-based
set firewall family inet filter Pmode term main then packet-mode
set firewall family inet filter Pmode term main then accept
set firewall family inet filter 97-VTY term T1 from source-address 192.168.1.0/26
set firewall family inet filter 97-VTY term T1 from protocol tcp
set firewall family inet filter 97-VTY term T1 from destination-port telnet
set firewall family inet filter 97-VTY term T1 from destination-port ssh
set firewall family inet filter 97-VTY term T1 then accept
set firewall family inet filter acl-l0 term ssh-telnet-OK from source-prefix-list pl-GESTION-OK
set firewall family inet filter acl-l0 term ssh-telnet-OK from protocol tcp
set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port ssh
set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port telnet
set firewall family inet filter acl-l0 term ssh-telnet-OK then accept
set firewall family inet filter acl-l0 term ssh-telnet-DENY from protocol tcp
set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port ssh
set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port telnet
set firewall family inet filter acl-l0 term ssh-telnet-DENY then log
set firewall family inet filter acl-l0 term ssh-telnet-DENY then reject
set firewall family inet filter acl-l0 term snmp-OK from source-prefix-list pl-SNMP-OK
set firewall family inet filter acl-l0 term snmp-OK from protocol udp
set firewall family inet filter acl-l0 term snmp-OK from port 161
set firewall family inet filter acl-l0 term snmp-OK from port 162
set firewall family inet filter acl-l0 term snmp-DENY from protocol udp
set firewall family inet filter acl-l0 term snmp-DENY from port 161
set firewall family inet filter acl-l0 term snmp-DENY from port 162
set firewall family inet filter acl-l0 term snmp-DENY then reject
set firewall family inet filter acl-l0 term bgp-OK from source-prefix-list pl-BGP-OK
set firewall family inet filter acl-l0 term bgp-OK from destination-prefix-list pl-BGP-OK
set firewall family inet filter acl-l0 term bgp-OK from protocol tcp
set firewall family inet filter acl-l0 term bgp-OK from port 179
set firewall family inet filter acl-l0 term bgp-OK then accept
set firewall family inet filter acl-l0 term bgp-DENY from protocol tcp
set firewall family inet filter acl-l0 term bgp-DENY from port 179
set firewall family inet filter acl-l0 term bgp-DENY then log
set firewall family inet filter acl-l0 term bgp-DENY then reject
set firewall family inet filter acl-l0 term default-term then accept
set firewall policer rl-35m if-exceeding bandwidth-limit 35m
set firewall policer rl-35m if-exceeding burst-size-limit 46437500
set firewall policer rl-35m then discard
set firewall policer rl-100m if-exceeding bandwidth-limit 100m
set firewall policer rl-100m if-exceeding burst-size-limit 18750000
set firewall policer rl-100m then discard
set vlans CTE-I1-RI vlan-id 800
set vlans CTE-I1-RI l3-interface vlan.800
set vlans CTE-MCTCBA vlan-id 725
set vlans CTE-QINQ0 vlan-id 720
set vlans GESTION vlan-id 378
set vlans PRUEBA vlan-id 17
set vlans PRUEBA2 vlan-id 18
set vlans WAN-GL-BACK vlan-id 502
set vlans WAN-GL-BACK l3-interface vlan.502
set vlans WAN-GL-PRIM vlan-id 501

*I changed the real IP's and ASN; where says 192.168.xx.xx actually is a IP or Subnet of a public /16, and where says 172.16.20.xx, an IP or subnet of a public /24.

I think that maybe, these connection were established before the filter application, that's why he remained active, that makes sense?

I will consider your suggestions of trace the data flow, thanks!

Regards,

Marcelo.

Yes, likely the connection was before the filter application.

You may also find this free publication helpful.  Chapter 5 reviews all the recommended security settings on a Junos device.

http://forums.juniper.net/t5/Day-One-Books/Day-One-Finishing-Junos-Deployments/ba-p/272763