Dear SwiNOGers
I'm new to JunOS. I like this OS so far, but I'm having a hard time, securing this stuff...
Something's wrong in my JunOS filters... Basically I want to block everyone from accessing the interface on the router itself, but I want to allow traffic to pass the interface. Somehow that doesn't work. See below the (relevant) configuration parts:
interfaces { xe-0/1/2 { description blabla; vlan-tagging; } unit 100 { description Blabla; vlan-id 100; family inet { filter { input INTERFACE-INCOMING; } address 192.168.1.1/24 } } }
policy-options { prefix-list MYINTERFACE { 192.168.1.1/32; } }
firewall { family inet { filter INTERFACE-INCOMING { term WAN-ADDRESS { from { destination-prefix-list { MYINTERFACE; } } then { discard; } } term ALLOW-ALL { then accept; } } } }
Anybody with a hint, why this filter doesn't actually block traffic to 192.168.1.1? I can still ping it.
Kind regards,
Viktor
Dear SwiNOGers
Thank you for all the off-list answers.
Problem is solved. PEBKAC.
Kind regards,
Viktor
On 30.01.2019 14:43, Viktor Steinmann wrote:
Dear SwiNOGers
I'm new to JunOS. I like this OS so far, but I'm having a hard time, securing this stuff...
Something's wrong in my JunOS filters... Basically I want to block everyone from accessing the interface on the router itself, but I want to allow traffic to pass the interface. Somehow that doesn't work. See below the (relevant) configuration parts:
interfaces { xe-0/1/2 { description blabla; vlan-tagging; } unit 100 { description Blabla; vlan-id 100; family inet { filter { input INTERFACE-INCOMING; } address 192.168.1.1/24 } } }
policy-options { prefix-list MYINTERFACE { 192.168.1.1/32; } }
firewall { family inet { filter INTERFACE-INCOMING { term WAN-ADDRESS { from { destination-prefix-list { MYINTERFACE; } } then { discard; } } term ALLOW-ALL { then accept; } } } }
Anybody with a hint, why this filter doesn't actually block traffic to 192.168.1.1? I can still ping it.
Kind regards,
Viktor
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Have you thought that you could just use non-publicly routable address space and don't have to worry about the firewall filter?
-----Original Message----- From: swinog-bounces@lists.swinog.ch swinog-bounces@lists.swinog.ch On Behalf Of Viktor Steinmann Sent: Thursday, January 31, 2019 12:29 PM To: swinog@lists.swinog.ch Subject: [EXTERNAL] Re: [swinog] JunOS Filter Question
Dear SwiNOGers
Thank you for all the off-list answers.
Problem is solved. PEBKAC.
Kind regards,
Viktor
On 30.01.2019 14:43, Viktor Steinmann wrote:
Dear SwiNOGers
I'm new to JunOS. I like this OS so far, but I'm having a hard time, securing this stuff...
Something's wrong in my JunOS filters... Basically I want to block everyone from accessing the interface on the router itself, but I want to allow traffic to pass the interface. Somehow that doesn't work. See below the (relevant) configuration parts:
interfaces { xe-0/1/2 { description blabla; vlan-tagging; } unit 100 { description Blabla; vlan-id 100; family inet { filter { input INTERFACE-INCOMING; } address 192.168.1.1/24 } } }
policy-options { prefix-list MYINTERFACE { 192.168.1.1/32; } }
firewall { family inet { filter INTERFACE-INCOMING { term WAN-ADDRESS { from { destination-prefix-list { MYINTERFACE; } } then { discard; } } term ALLOW-ALL { then accept; } } } }
Anybody with a hint, why this filter doesn't actually block traffic to 192.168.1.1? I can still ping it.
Kind regards,
Viktor
swinog mailing list swinog@lists.swinog.ch https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cg i-2Dbin_mailman_listinfo_swinog&d=DwIGaQ&c=gxW9PgscCAGwFImBgfkGkoANogu 61GVPNv0sglxAtik&r=iP8sTuVRgAcKV3rX1un4bVjVf0zAfdC0fBAbdM6SSuw&m=MgI1s mDIyOcO3c5VmHqWhbuQqXW0ad_ishglRA2BN5I&s=5GfoVqD-u9mGMj-U7NBH5djD_T9us tSe2k4e9iZ_oUo&e=
_______________________________________________ swinog mailing list swinog@lists.swinog.ch https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cgi-2Dbi... This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.