Have you thought that you could just use non-publicly routable address space and don't have to worry about the firewall filter?
-----Original Message----- From: swinog-boun...@lists.swinog.ch <swinog-boun...@lists.swinog.ch> On Behalf Of Viktor Steinmann Sent: Thursday, January 31, 2019 12:29 PM To: swinog@lists.swinog.ch Subject: [EXTERNAL] Re: [swinog] JunOS Filter Question Dear SwiNOGers Thank you for all the off-list answers. Problem is solved. PEBKAC. Kind regards, Viktor On 30.01.2019 14:43, Viktor Steinmann wrote: > Dear SwiNOGers > > I'm new to JunOS. I like this OS so far, but I'm having a hard time, > securing this stuff... > > Something's wrong in my JunOS filters... Basically I want to block > everyone from accessing the interface on the router itself, but I want > to allow traffic to pass the interface. Somehow that doesn't work. See > below the (relevant) configuration parts: > > interfaces { > xe-0/1/2 { > description blabla; > vlan-tagging; > } > unit 100 { > description Blabla; > vlan-id 100; > family inet { > filter { > input INTERFACE-INCOMING; > } > address 192.168.1.1/24 > } > } > } > > > policy-options { > prefix-list MYINTERFACE { > 192.168.1.1/32; > } > } > > firewall { > family inet { > filter INTERFACE-INCOMING { > term WAN-ADDRESS { > from { > destination-prefix-list { > MYINTERFACE; > } > } > then { > discard; > } > } > term ALLOW-ALL { > then accept; > } > } > } > } > > > Anybody with a hint, why this filter doesn't actually block traffic to > 192.168.1.1? I can still ping it. > > Kind regards, > > Viktor > > > > _______________________________________________ > swinog mailing list > swinog@lists.swinog.ch > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cg > i-2Dbin_mailman_listinfo_swinog&d=DwIGaQ&c=gxW9PgscCAGwFImBgfkGkoANogu > 61GVPNv0sglxAtik&r=iP8sTuVRgAcKV3rX1un4bVjVf0zAfdC0fBAbdM6SSuw&m=MgI1s > mDIyOcO3c5VmHqWhbuQqXW0ad_ishglRA2BN5I&s=5GfoVqD-u9mGMj-U7NBH5djD_T9us > tSe2k4e9iZ_oUo&e= _______________________________________________ swinog mailing list swinog@lists.swinog.ch https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cgi-2Dbin_mailman_listinfo_swinog&d=DwIGaQ&c=gxW9PgscCAGwFImBgfkGkoANogu61GVPNv0sglxAtik&r=iP8sTuVRgAcKV3rX1un4bVjVf0zAfdC0fBAbdM6SSuw&m=MgI1smDIyOcO3c5VmHqWhbuQqXW0ad_ishglRA2BN5I&s=5GfoVqD-u9mGMj-U7NBH5djD_T9ustSe2k4e9iZ_oUo&e= This email is from Equinix (EMEA) B.V. or one of its associated companies in the territory from where this email has been sent. This email, and any files transmitted with it, contains information which is confidential, is solely for the use of the intended recipient and may be legally privileged. If you have received this email in error, please notify the sender and delete this email immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889. _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog