30 Jan
2019
30 Jan
'19
2:43 p.m.
Dear SwiNOGers
I'm new to JunOS. I like this OS so far, but I'm having a hard time,
securing this stuff...
Something's wrong in my JunOS filters... Basically I want to block
everyone from accessing the interface on the router itself, but I want
to allow traffic to pass the interface. Somehow that doesn't work. See
below the (relevant) configuration parts:
interfaces {
xe-0/1/2 {
description blabla;
vlan-tagging;
}
unit 100 {
description Blabla;
vlan-id 100;
family inet {
filter {
input INTERFACE-INCOMING;
}
address 192.168.1.1/24
}
}
}
policy-options {
prefix-list MYINTERFACE {
192.168.1.1/32;
}
}
firewall {
family inet {
filter INTERFACE-INCOMING {
term WAN-ADDRESS {
from {
destination-prefix-list {
MYINTERFACE;
}
}
then {
discard;
}
}
term ALLOW-ALL {
then accept;
}
}
}
}
Anybody with a hint, why this filter doesn't actually block traffic to
192.168.1.1? I can still ping it.
Kind regards,
Viktor
31 Jan
31 Jan
1:28 p.m.
Dear SwiNOGers
Thank you for all the off-list answers.
Problem is solved. PEBKAC.
Kind regards,
Viktor
On 30.01.2019 14:43, Viktor Steinmann wrote:
Dear SwiNOGers
I'm new to JunOS. I like this OS so far, but I'm having a hard time,
securing this stuff...
Something's wrong in my JunOS filters... Basically I want to block
everyone from accessing the interface on the router itself, but I want
to allow traffic to pass the interface. Somehow that doesn't work. See
below the (relevant) configuration parts:
interfaces {
xe-0/1/2 {
description blabla;
vlan-tagging;
}
unit 100 {
description Blabla;
vlan-id 100;
family inet {
filter {
input INTERFACE-INCOMING;
}
address 192.168.1.1/24
}
}
}
policy-options {
prefix-list MYINTERFACE {
192.168.1.1/32;
}
}
firewall {
family inet {
filter INTERFACE-INCOMING {
term WAN-ADDRESS {
from {
destination-prefix-list {
MYINTERFACE;
}
}
then {
discard;
}
}
term ALLOW-ALL {
then accept;
}
}
}
}
Anybody with a hint, why this filter doesn't actually block traffic to
192.168.1.1? I can still ping it.
Kind regards,
Viktor
_______________________________________________
swinog mailing list
swinog(a)lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
1 Feb
1 Feb
1:22 p.m.
New subject: [EXTERNAL] Re: JunOS Filter Question
Have you thought that you could just use non-publicly routable address space and don't
have to worry about the firewall filter?
-----Original Message-----
From: swinog-bounces(a)lists.swinog.ch <swinog-bounces(a)lists.swinog.ch> On Behalf Of
Viktor Steinmann
Sent: Thursday, January 31, 2019 12:29 PM
To: swinog(a)lists.swinog.ch
Subject: [EXTERNAL] Re: [swinog] JunOS Filter Question
Dear SwiNOGers
Thank you for all the off-list answers.
Problem is solved. PEBKAC.
Kind regards,
Viktor
On 30.01.2019 14:43, Viktor Steinmann wrote:
Dear SwiNOGers
I'm new to JunOS. I like this OS so far, but I'm having a hard time,
securing this stuff...
Something's wrong in my JunOS filters... Basically I want to block
everyone from accessing the interface on the router itself, but I want
to allow traffic to pass the interface. Somehow that doesn't work. See
below the (relevant) configuration parts:
interfaces {
xe-0/1/2 {
description blabla;
vlan-tagging;
}
unit 100 {
description Blabla;
vlan-id 100;
family inet {
filter {
input INTERFACE-INCOMING;
}
address 192.168.1.1/24
}
}
}
policy-options {
prefix-list MYINTERFACE {
192.168.1.1/32;
}
}
firewall {
family inet {
filter INTERFACE-INCOMING {
term WAN-ADDRESS {
from {
destination-prefix-list {
MYINTERFACE;
}
}
then {
discard;
}
}
term ALLOW-ALL {
then accept;
}
}
}
}
Anybody with a hint, why this filter doesn't actually block traffic to
192.168.1.1? I can still ping it.
Kind regards,
Viktor
_______________________________________________
swinog mailing list
swinog(a)lists.swinog.ch
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cg
i-2Dbin_mailman_listinfo_swinog&d=DwIGaQ&c=gxW9PgscCAGwFImBgfkGkoANogu
61GVPNv0sglxAtik&r=iP8sTuVRgAcKV3rX1un4bVjVf0zAfdC0fBAbdM6SSuw&m=MgI1s
mDIyOcO3c5VmHqWhbuQqXW0ad_ishglRA2BN5I&s=5GfoVqD-u9mGMj-U7NBH5djD_T9us
tSe2k4e9iZ_oUo&e=
_______________________________________________
swinog mailing list
swinog(a)lists.swinog.ch
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cgi-2Db…
This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory
from where this email has been sent. This email, and any files transmitted with it,
contains information which is confidential, is solely for the use of the intended
recipient and may be legally privileged. If you have received this email in error, please
notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered
Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands
No. 57577889.
1704
days inactive
1706
days old
2 comments
2 participants
participants (2)
-
Nikos Leontsinis -
Viktor Steinmann