Question regarding firewall filters
mrblackmamba343
Inactive Imported Users Posts: 136
in Juniper
on a cisco router this is how the rule is written
access-list 101 permit tcp any host 10.10.10.1 eq 80
access-list 101 permit tcp any host 10.10.10.2 eq 443
access-list 101 permit tcp any host 10.10.10.3 eq 3389
on a Juniper box
set firewall filter INBOUND term services from source-address 0.0.0.0/0
set firewall filter INBOUND term services from destination-address 10.10.10.1/32
set firewall filter INBOUND term services from destination-address 10.10.10.2/32
set firewall filter INBOUND term services from destination-address 10.10.10.3/32
set firewall filter INBOUND term services from protocol tcp
set firewall filter INBOUND term services from destination-port 80
set firewall filter INBOUND term services from destination-port 443
set firewall filter INBOUND term services from destination-port 3389
set firewall filter INBOUND term services then accept
but I'm confused how do I know the protocols apply to the IP addresses I want? Can I match a certain protocol to an IP addresses. I'm new to JUNOS so please excuse my ignorance. Does the first destination port apply to the first destination address?
access-list 101 permit tcp any host 10.10.10.1 eq 80
access-list 101 permit tcp any host 10.10.10.2 eq 443
access-list 101 permit tcp any host 10.10.10.3 eq 3389
on a Juniper box
set firewall filter INBOUND term services from source-address 0.0.0.0/0
set firewall filter INBOUND term services from destination-address 10.10.10.1/32
set firewall filter INBOUND term services from destination-address 10.10.10.2/32
set firewall filter INBOUND term services from destination-address 10.10.10.3/32
set firewall filter INBOUND term services from protocol tcp
set firewall filter INBOUND term services from destination-port 80
set firewall filter INBOUND term services from destination-port 443
set firewall filter INBOUND term services from destination-port 3389
set firewall filter INBOUND term services then accept
but I'm confused how do I know the protocols apply to the IP addresses I want? Can I match a certain protocol to an IP addresses. I'm new to JUNOS so please excuse my ignorance. Does the first destination port apply to the first destination address?
Comments
-
teren
Member Posts: 30 ■■□□□□□□□□
You'll want to set those up as separate terms:
set firewall filter INBOUND term host1 from source-address 0/0
set firewall filter INBOUND term host1 from destination-address 10.10.10.
set firewall filter INBOUND term host1 from destination-port 80
set firewall filter INBOUND term host1 from protocol tcp
set firewall filter INBOUND term host1 then accept
set firewall filter INBOUND term host2 from source-address 0/0
set firewall filter INBOUND term host2 from destination-address 10.10.10.2
set firewall filter INBOUND term host2 from destination-port 443
set firewall filter INBOUND term host2 from protocol tcp
set firewall filter INBOUND term host2 then accept
set firewall filter INBOUND term host3 from source-address 0/0
set firewall filter INBOUND term host3 from destination-address 10.10.10.3
set firewall filter INBOUND term host3 from destination-port 3389
set firewall filter INBOUND term host3 from protocol tcp
set firewall filter INBOUND term host3 then accept
That should do the trick, might want to check to make sure syntax is exact but hopefully you get the idea, if not let me know
Terenmrblackmamba343 wrote: »on a cisco router this is how the rule is written
access-list 101 permit tcp any host 10.10.10.1 eq 80
access-list 101 permit tcp any host 10.10.10.2 eq 443
access-list 101 permit tcp any host 10.10.10.3 eq 3389
on a Juniper box
set firewall filter INBOUND term services from source-address 0.0.0.0/0
set firewall filter INBOUND term services from destination-address 10.10.10.1/32
set firewall filter INBOUND term services from destination-address 10.10.10.2/32
set firewall filter INBOUND term services from destination-address 10.10.10.3/32
set firewall filter INBOUND term services from protocol tcp
set firewall filter INBOUND term services from destination-port 80
set firewall filter INBOUND term services from destination-port 443
set firewall filter INBOUND term services from destination-port 3389
set firewall filter INBOUND term services then accept
but I'm confused how do I know the protocols apply to the IP addresses I want? Can I match a certain protocol to an IP addresses. I'm new to JUNOS so please excuse my ignorance. Does the first destination port apply to the first destination address? -
mrblackmamba343
Inactive Imported Users Posts: 136
Any idea why BGP routes are not being advertised to its peers based on this config?
[edit policy-options policy-statement direct]
root# show
term connected {
from {
protocol direct;
route-filter 192.168.2.0/24 exact;
}
}
[edit policy-options policy-statement direct]
root# top edit protocols bgp
[edit protocols bgp]
root# show
group ibgp {
export direct;
peer-as 1;
neighbor 192.168.1.1;
}
solved my own issue I was missing a then statement... -
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Also you might want to consider using prefix-lists in your FW filters (even for one address to start with), gives you more flexibility later as you add more similar servers.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?