So many ways to block traffic with Juniper SRX. So you can either do a firewall filter (think ACL), allow or deny a service on host-inbound, and also control it via the junos-host zone. Time to see how they all play together.
Based on this topology I have the CORE and the SRX05 doing BGP with each other. I have both ge-0/0/0 and ge-0/0/1 in security zone UNTRUST. Actually before I mention that, let's not forget that if an interface is not in a security zone, it is in the NULL zone and that means it accepts nothing. It does nothing. It just sits there and tells things to go away.
I started out with allowing only specific traffic in on my zone and then said I am testing to screw it.
jmctsm@srx05# show security zones security-zone UNTRUST
host-inbound-traffic {
system-services {
ping;
all;
}
protocols {
bgp;
all;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}
host-inbound-traffic {
system-services {
ping;
all;
}
protocols {
bgp;
all;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}
That allowed BGP to come up on both sides (skipping BGP configuration). So that worked. But what happens if I put a filter in place. Hmmmm
jmctsm@srx05# show firewall
filter INCOMING_UNTRUST {
term DENY_BGP {
from {
protocol tcp;
port bgp;
}
then {
reject;
}
}
term ALLOW_ALL {
then accept;
}
}
jmctsm@srx05# show interfaces ge-0/0/0
unit 0 {
family inet {
filter {
input INCOMING_UNTRUST;
}
address 172.16.5.5/24;
}
}
[edit]
jmctsm@srx05# run show bgp summary
Threading mode: BGP I/O
Default eBGP mode: advertise - accept, receive - accept
Groups: 1 Peers: 2 Down peers: 1
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
0 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
172.16.5.1 65000 0 0 0 3 26:56 Connect
172.16.55.1 65000 62 61 0 2 26:53 Establ
inet.0: 0/0/0/0
So a firewall filter blocked my BGP. So that tells me it is
firewall filter -> host-inbound
So now let's play with the junos-host zone. I created a policy of
from-zone UNTRUST to-zone junos-host {
policy DENY_BGP {
match {
source-address any;
destination-address any;
application junos-bgp;
}
then {
deny;
}
}
policy ALLOW_ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
That did nothing. BGP still formed for my 55.1 neighbor. So what happens if I remove the host-inbound services? Nothing changed yet again. The BGP session still came back up. So starting over from scratch I then removed the interface from the UNTRUST zone and now BGP drops. Time to figure this out more.
So even with no host-inbound and no junos-host security policy, BGP still forms to the neighbor on the UNTRUST interface. Just freaking weird.
And I think that I found my issue. BGP is allowed to connect no matter if I have host-inbound-traffic on or not or allowed in a policy for junos-host.
So let's try something easier. Ping. Without a host-inbound policy I cannot ping. Easy enough. But let's allow that there and deny it on the junos-host policy and see what happens.
[edit security policies from-zone UNTRUST to-zone junos-host]
jmctsm@srx05# show
policy DENY_BGP {
match {
source-address BGP_PEER_05;
destination-address any;
application junos-bgp;
}
then {
deny;
}
}
policy DENY_PING_FROM_5_1 {
match {
source-address BGP_PEER_05;
destination-address any;
application junos-ping;
}
then {
deny;
}
}
policy ALLOW_ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
That blocks traffic from 172.16.5.1 as expected. So again this is good to find out that apparently some traffic is allowed through always and some can be denied. Interesting.
Also even if the policy is there for zone junos-host but no host-inbound-traffic, the traffic can be denied.
So what we have is a firewall filter will block before any policies then if no junos-host zone is used and only host-inbound-traffic, all things allowed by host-inbound-traffic can come into the firewall. To be specific you can use either a firewall filter (which has to be applied at all possible interfaces) or use the junos-host zone.
Fun time with SRX.
UPDATE:
I figured out finally why BGP would still come up from a neighbor even if BGP is not allowed via junos-host zone or host-inbound-traffic. BGP is a TCP server client protocol that either side can initiate from. Looking at the logs, when the CORE device tries to initiate to the SRX, the SRX denies the traffic. BUT if the SRX initiates the traffic to the CORE it works. The policy is not blocking that by any outside method and since the SRX is stateful it allows all communications back in from the "server".
I figured out finally why BGP would still come up from a neighbor even if BGP is not allowed via junos-host zone or host-inbound-traffic. BGP is a TCP server client protocol that either side can initiate from. Looking at the logs, when the CORE device tries to initiate to the SRX, the SRX denies the traffic. BUT if the SRX initiates the traffic to the CORE it works. The policy is not blocking that by any outside method and since the SRX is stateful it allows all communications back in from the "server".
To SRX from CORE = BAD
From SRX to CORE = Established
No comments:
Post a Comment