On Wed, Mar 18, 2020 at 11:16:54AM -0500, John Kristoff wrote:
> On Wed, 18 Mar 2020 16:02:09 +0000
> Saku Ytti <s...@ytti.fi> wrote:
>
> > It is completely broken, you use 'port' so you expose every port in your
> > system.
>
> Ha, OK thanks. I think that would require some not so easy spoofing
> unless I'm missing something. We can convert any statement that just
> uses port to directional, which I think will require additional rules
> to tighten it up. Feel free to submit example configs.
To bypass your filter, just SSH using source port 179 (bgp), destination port
22, and you are in (as long as you are a BGP neighbor for this specific term):
filter loopback-v4 {
term bgp {
from {
source-prefix-list {
bgp-neighbors-v4;
}
protocol tcp;
port bgp;
}
then {
count bgp;
accept;
}
}
Fix:
/* allow inbound BGP connections */
term bgp-inbound {
from {
source-prefix-list {
bgp-neighbors-v4;
}
protocol tcp;
source-port 1024-65535;
destination-port bgp;
}
then {
count bgp;
accept;
}
}
/* allow reply packets to outbound BGP connections */
term bgp-replies {
from {
source-prefix-list {
bgp-neighbors-v4;
}
protocol tcp;
source-port bgp;
destination-port 1024-65535;
tcp-established;
}
then {
count bgp-replies;
accept;
}
}
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
