disable ICMP on M10i platform

m4rtin

sI tried to disable ICMP on Juniper M10i platform for testing purposes. At first I applied group firewall:router-protect to lo0 interface. Inside the firewall:router-protect group I defined router-protect filter, which disables ICMP protocol. However, for some reason, I'm still able to ping:

root@M10i_lab> show configuration interfaces lo0 | display inheritance    
##
## '0' was inherited from group 'firewall:router-protect'
##
unit 0 {
    ##
    ## 'inet' was inherited from group 'firewall:router-protect'
    ##
    family inet {
        ##
        ## 'filter' was inherited from group 'firewall:router-protect'
        ##
        filter {
            ##
            ## 'router-protect' was inherited from group 'firewall:router-protect'
            ## 'accept' was inherited from group 'firewall:router-protect'
            ##
            input-list [ router-protect accept ];
        }
    }
}

root@M10i_lab> ...ps firewall:router-protect | display inheritance          
error: groups is not part of inherited configuration

root@M10i_lab> show configuration groups firewall:router-protect            
interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input-list [ router-protect accept ];
                }
            }
        }
    }
}
firewall {
    filter router-protect {
        term icmp {
            from {
                protocol icmp;
            }
            then {
                count manage-discard-icmp;
                discard;
            }
        }
    }
}                                       

root@M10i_lab> ping 10.10.10.2 source 10.10.10.1 count 1                    
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=1.202 ms

--- 10.10.10.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.202/1.202/1.202/0.000 ms

root@M10i_lab> 

Then I made another firewall setup, which sets only one filter to lo0 interface:

root@M10i_lab> show configuration interfaces lo0 | display inheritance      
##
## '0' was inherited from group 'firewall:router-protect'
##
unit 0 {
    ##
    ## 'inet' was inherited from group 'firewall:router-protect'
    ##
    family inet {
        ##
        ## 'filter' was inherited from group 'firewall:router-protect'
        ##
        filter {
            ##
            ## 'router-protect' was inherited from group 'firewall:router-protect'
            ##
            input-list router-protect;
        }
    }
}

root@M10i_lab> show configuration groups firewall:router-protect          
interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input-list router-protect;
                }
            }
        }
    }
}
firewall {
    filter router-protect {
        term icmp {
            from {
                protocol icmp;
            }
            then {
                count manage-discard-icmp;
                discard;
            }
        }
        term allow {
            then accept;                
        }
    }
}

root@M10i_lab> ping 10.10.10.2 source 10.10.10.1 count 1                  
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=1.179 ms

--- 10.10.10.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.179/1.179/1.179/0.000 ms

root@M10i_lab> 

..but still ICMP works. Any ideas why protocol ICMP is still allowed while it's discarded according to configuration?

networker050184

Have you tried pinging from an external device? Also, is that the actual lo0 address that you are pinging?

Ryan82

If you ping from the device with 10.0.10.2 to 10.0.10.1 the ping shouldn't work. You are only blocking ICMP traffic destined to your lo0 (input list)