SRX Services Gateway
Highlighted
SRX Services Gateway

lo0 filter vs junos-host zone: SSH still permitted

[ Edited ]
‎10-19-2014 07:33 AM

Edit: apologies, cleaned up the terrible formatting in this post.


I'm stumped and could use some help. I would like my lo0 management filter to be honored before junos-host self-traffic policy lookups. Furthermore, I can't understand what junos-host self-traffic policy is even permitting this flow.

I'm finding that SSH is still permitted to an Internet-facing interface despite the following:

-Tried and true lo0 filter and prefix-list that I've triple checked (and use on many other SRXs)

-No security policies referencing junos-host on this SRX cluster at all

-Default device security policy is unchanged. From "show security policies" output first line: Default policy: deny-all


Some additional details

-Default explicit deny global policy (although I realize this is for transit traffic)

-Running 12.1X46-D15.3

-Security zone is permitting SSH for the interface and for the zone itself


Security flow traceoptions reveals that the flow is:

Arriving on outside zone containing outside interface

-Destined to junos-host zone

-Action is "permitted by policy self-traffic-policy(1)"

_____________________________________
verbalicious

CCNP:R&S, JNCIS: SEC and RHCE
3 REPLIES 3
Highlighted
SRX Services Gateway

Re: lo0 filter vs junos-host zone: SSH still permitted

‎10-20-2014 04:23 PM

Hi there,

 

You'll need to turn off the host-inbound-traffic ssh configured on the security zone or the interface within the security zone to stop this traffic - the SSH session is terminating on the outside interface as far as the flowd module is concerned, and the loopback firewall filter won't stop this traffic.

 

The self-traffic-policy is just permitting things that you are allowing with host-inbound-traffic.

 

Hope this helps

 

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
SRX Services Gateway

Re: lo0 filter vs junos-host zone: SSH still permitted

[ Edited ]
‎10-24-2014 12:01 PM

Thanks for your input. Some follow-up based on that:

-I removed interface-specific host-inbound protocol permit for ssh (delete security security-zone zonename interface host-inbound-traffic protocol ssh), only leaving "set security security-zone zonename host-inbound-traffic protocols ssh". Got the same result (still open to the Internet).

-If I remove it from both the zone and the zone's interface host-inbound-traffic, it stops permitting SSH all-together and doesn't honor the lo0 filter. Was able to keep myself from getting locked out using commit confirmed here.

I'll admit I'm confused here because I have a dozen other SRXs configured the way I described in my initial post and they are honoring the lo0 filter on the outside interfaces. I validate this from a VPS I own whose IP is not in the filter. Anything else I should check here?

_____________________________________
verbalicious

CCNP:R&S, JNCIS: SEC and RHCE
Highlighted
SRX Services Gateway

Re: lo0 filter vs junos-host zone: SSH still permitted

‎10-26-2014 03:00 PM

If you have host-inbound-traffic ssh configured at the zone level, it will be enabled for all interfaces in that zone.

 

If you configure any interface-specific host-inbound-traffic configurations (even for other protocols), then only the interface-based configuration will take effect (eg: it will completely override the zone-based configuration for that interface, even if you have completely different protocols enabled.

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Feedback