Options

disable ICMP on M10i platform

m4rtinm4rtin Member Posts: 170
in Juniper
sI tried to disable ICMP on Juniper M10i platform for testing purposes. At first I applied group firewall:router-protect to lo0 interface. Inside the firewall:router-protect group I defined router-protect filter, which disables ICMP protocol. However, for some reason, I'm still able to ping:
root@M10i_lab> show configuration interfaces lo0 | display inheritance    
##
## '0' was inherited from group 'firewall:router-protect'
##
unit 0 {
    ##
    ## 'inet' was inherited from group 'firewall:router-protect'
    ##
    family inet {
        ##
        ## 'filter' was inherited from group 'firewall:router-protect'
        ##
        filter {
            ##
            ## 'router-protect' was inherited from group 'firewall:router-protect'
            ## 'accept' was inherited from group 'firewall:router-protect'
            ##
            input-list [ router-protect accept ];
        }
    }
}

root@M10i_lab> ...ps firewall:router-protect | display inheritance          
error: groups is not part of inherited configuration

root@M10i_lab> show configuration groups firewall:router-protect            
interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input-list [ router-protect accept ];
                }
            }
        }
    }
}
firewall {
    filter router-protect {
        term icmp {
            from {
                protocol icmp;
            }
            then {
                count manage-discard-icmp;
                discard;
            }
        }
    }
}                                       

root@M10i_lab> ping 10.10.10.2 source 10.10.10.1 count 1                    
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=1.202 ms

--- 10.10.10.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.202/1.202/1.202/0.000 ms

root@M10i_lab>


Then I made another firewall setup, which sets only one filter to lo0 interface:
root@M10i_lab> show configuration interfaces lo0 | display inheritance      
##
## '0' was inherited from group 'firewall:router-protect'
##
unit 0 {
    ##
    ## 'inet' was inherited from group 'firewall:router-protect'
    ##
    family inet {
        ##
        ## 'filter' was inherited from group 'firewall:router-protect'
        ##
        filter {
            ##
            ## 'router-protect' was inherited from group 'firewall:router-protect'
            ##
            input-list router-protect;
        }
    }
}

root@M10i_lab> show configuration groups firewall:router-protect          
interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input-list router-protect;
                }
            }
        }
    }
}
firewall {
    filter router-protect {
        term icmp {
            from {
                protocol icmp;
            }
            then {
                count manage-discard-icmp;
                discard;
            }
        }
        term allow {
            then accept;                
        }
    }
}

root@M10i_lab> ping 10.10.10.2 source 10.10.10.1 count 1                  
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=1.179 ms

--- 10.10.10.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.179/1.179/1.179/0.000 ms

root@M10i_lab>

..but still ICMP works. Any ideas why protocol ICMP is still allowed while it's discarded according to configuration? icon_rolleyes.gif
· Share on FacebookShare on Twitter

Comments

Sign In or Register to comment.