This is probably a silly question but do you have any idea why ftp, http, and https show up as open ports in a port scan on an MX80 even when the services are unconfigured?
Not shown: 997 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 443/tcp open https [drew@nessie drew]# wget http://10.1.25.156 --2018-07-12 09:49:28-- http://10.1.25.156/ Connecting to 10.1.25.156:80... connected. HTTP request sent, awaiting response... drew@chuck> show configuration system services ssh { root-login deny; } Thanks, -Drew -----Original Message----- From: Saku Ytti [mailto:s...@ytti.fi] Sent: Thursday, July 12, 2018 6:54 AM To: Drew Weaver <drew.wea...@thenap.com> Cc: cb...@gizmopartners.com; Juniper List <juniper-nsp@puck.nether.net> Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'? I have not. But to answer your question broadly a) allow in very specific terms what you want to accept - always match on source IP (except UDP traceroute and ICMP, which you'll need to accept from world) - always match on destination IP, if you run any L3 MSPL VPN - always match on destination port, either service port, BGP, SSH etc or JunOS ephemeral (49160-65535) (TCP requires 2 terns, one per direction) - always match on TTL/hop-count 255 when permitted (VRRP, ND) - decide your policy on IP options, and ensure lo0 implements that (transit IP-options are today subject to lo0. they were not in earlier JunOS, not even on Trio) - be sure that source IPs you allow, cannot be spooffed. If I want to DDoS your network, first source address spoofs I'll try are ftp.juniper.net, ftp.cisco.com etc. Ensure you don't admit anything like that to control-plane b) discard rest c) implement ddos-protection - configure _every_ protocol, set 10-100pps aggregate for protocols you don't know you need - disable sub detection, enable ifl detection - set ifl limit to 10th or 5th of aggregate at most (so you need >5 or >10 violating ifl to congest aggregate) - have three categories 'dont care', 'care, but not customer impacting', 'customer impacting'. I'd recommend no more than 100pps, 4000pps and 8000pps aggregates per category. There is built-in magic policer from NPU=>LC_CPU, you can't review its drops nor can you reconfigure it, but you MUST NOT congest it, as it will drop packets blindly contract-unaware. On Wed, 11 Jul 2018 at 22:09, Drew Weaver <drew.wea...@thenap.com> wrote: > > Have you tried submitting your recommendations to the authors? > > -----Original Message----- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On > Behalf Of Saku Ytti > Sent: Wednesday, July 11, 2018 3:07 PM > To: cb...@gizmopartners.com > Cc: Juniper List <juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of > 'things to think about'? > > I'd say the filters are all kind of broken. > > Just few issues > > a) You can't just limit UDP to 2Mbps on every edge port > b) LO filter matches on 'port' > c) LO filter has wide permit instead of accept 1,2,3,4 drop rest > d) hardcore doesnt permit traceroute > > Just very short review, to me just these errors are monumental > misunderstanding of security and goals of filters. To me starting from > nothing is superior than starting from those. > > On Wed, 11 Jul 2018 at 21:23, Chris Boyd <cb...@gizmopartners.com> wrote: > > > > > > > > > On Jul 11, 2018, at 1:17 PM, Drew Weaver <drew.wea...@thenap.com> wrote: > > > > > > Is there a list of best practices or 'things to think about' when > > > constructing a firewall filter for a loopback on an MX series router > > > running version 15 of Junos? > > > > > > I'm slowly piecing it together by just 'seeing what is broken next' and I > > > have found some issue specific examples on Juniper.net thus far that tend > > > to help with some of the issues but if anyone has ever seen a decent > > > comprehensive guide that would be tremendously useful. > > > > > > If anyone has seen anything like this let me know, if not no > > > worries will just keep fixing the things one by one =) > > > > Team Cymru has a “JunOS Secure Template” that I found a good place to > > start. It quotes version 4 though. I think that means it’s well tested? > > > > http://www.cymru.com/gillsr/documents/junos-template.pdf > > > > —Chris > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > ++ytti > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp