In this lesson, I am going to do the basic things that you can do using the firewall filters on Juniper. Let me show you what scenario I have here:
This is my scenario, R1 and R2 are connected to each other and IP addresses are already set. I have also the static route set so 1.1.1.1 can ping 2.2.2.2 and vice versa. Let me show you this:
root@R1# run ping 2.2.2.2 source 1.1.1.1
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=3.822 ms
64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=5.349 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=6.910 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=3.782 ms
^C
— 2.2.2.2 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.782/4.966/6.910/1.288 ms
[edit]
root@R1#
root@R2> ping 1.1.1.1 source 2.2.2.2
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=3.502 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=6.510 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=5.207 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=7.064 ms
^C
— 1.1.1.1 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.502/5.571/7.064/1.371 ms
root@R2>
Excellent, they can ping each other.
I want now to disallow R2 to ping 1.1.1.1 while allowing him to ping any other IP address. Also I want R2 to keep a logging when the filter rule is being matched.
Let me show you how you can do that:
root@R2# edit firewall filter ICMP-BLOCK term TERM1
[edit firewall filter ICMP-BLOCK term TERM1]
root@R2# set from protocol icmp
[edit firewall filter ICMP-BLOCK term TERM1]
root@R2# set from destination-address 1.1.1.1/32
[edit firewall filter ICMP-BLOCK term TERM1]
root@R2# set then discard
[edit firewall filter ICMP-BLOCK term TERM1]
root@R2# set then log
[edit firewall filter ICMP-BLOCK term TERM1]
root@R2# show
from {
destination-address {
1.1.1.1/32;
}
protocol icmp;
}
then {
log;
discard;
}
[edit firewall filter ICMP-BLOCK term TERM1]
root@R2#
I have created a filter rule that in case the destination is 1.1.1.1/32 and the protocol is ICMP, then it will be blocked and will have a log file.
However, keeping the filter rule like this only will discard any other traffic because on Juniper there is a hidden implicit deny rule which deny everything else. So I should create a Term 2 and allow everything else, you got me?
Let me show you how you can do that:
[edit firewall filter ICMP-BLOCK term TERM1]
root@R2# up
[edit firewall filter ICMP-BLOCK]
root@R2# edit term TERM2
[edit firewall filter ICMP-BLOCK term TERM2]
root@R2# set then accept
[edit firewall filter ICMP-BLOCK term TERM2]
root@R2#
Let’s see how the firewall filter looks now completely and if it is good I will save it:
[edit firewall filter ICMP-BLOCK term TERM2]
root@R2# up
[edit firewall filter ICMP-BLOCK]
root@R2# show
term TERM1 {
from {
destination-address {
1.1.1.1/32;
}
protocol icmp;
}
then {
log;
discard;
}
}
term TERM2 {
then accept;
}
[edit firewall filter ICMP-BLOCK]
root@R2# commit
commit complete
[edit firewall filter ICMP-BLOCK]
root@R2#
Excellent, this is what I want to see.
Now the filter rule is created but we have to apply it.
We should apply it on the outbound of the interface of G-0/0/2 interface because the traffic is leaving R2 on its interface Ge-0/0/2 to R1 in order to reach 1.1.1.1
Let’s do it:
root@R2# edit interfaces ge-0/0/2 unit 0 family inet
[edit interfaces ge-0/0/2 unit 0 family inet]
root@R2# set filter output ICMP-BLOCK
[edit interfaces ge-0/0/2 unit 0 family inet]
root@R2# commit
commit complete
[edit interfaces ge-0/0/2 unit 0 family inet]
root@R2#
This way, I have configured the filter rule on the right interface in the way out.
Let’s check now if 2.2.2.2 can still ping 1.1.1.1.
root@R2> ping 1.1.1.1 source 2.2.2.2
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
^C
— 1.1.1.1 ping statistics —
5 packets transmitted, 0 packets received, 100% packet loss
root@R2>
Great, I can’t ping 1.1.1.1 from 2.2.2.2.
Let’s try to ping 192.168.12.1, do you think I will have a reply? Let’s check:
root@R2> ping 192.168.12.1 source 2.2.2.2
PING 192.168.12.1 (192.168.12.1): 56 data bytes
64 bytes from 192.168.12.1: icmp_seq=0 ttl=64 time=56.893 ms
64 bytes from 192.168.12.1: icmp_seq=1 ttl=64 time=4.239 ms
64 bytes from 192.168.12.1: icmp_seq=2 ttl=64 time=4.909 ms
64 bytes from 192.168.12.1: icmp_seq=3 ttl=64 time=4.178 ms
^C
— 192.168.12.1 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.178/17.555/56.893/22.714 ms
root@R2>
Yes I do have a reply because I am ping to a destination which is not 1.1.1.1 then the filter rule will go to TERM2 which allow everything to pass.
Let’s see if I can find the log for the ping that I have done to 1.1.1.1
root@R2> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
10:34:17 ICMP-BLOCK D local ICMP 2.2.2.2 1.1.1.1
10:34:16 ICMP-BLOCK D local ICMP 2.2.2.2 1.1.1.1
10:34:15 ICMP-BLOCK D local ICMP 2.2.2.2 1.1.1.1
10:34:14 ICMP-BLOCK D local ICMP 2.2.2.2 1.1.1.1
10:34:13 ICMP-BLOCK D local ICMP 2.2.2.2 1.1.1.1
root@R2>
Here we go, I have the log showing up with all information required, beautiful 😊
This is all what I wanted to show you in this lesson, hope you enjoyed it and see you in the upcoming one.
0 Comments