Have you thought that you could just use non-publicly routable address space
and don't have to worry about the firewall filter?
-----Original Message-----
From: swinog-boun...@lists.swinog.ch <swinog-boun...@lists.swinog.ch> On Behalf
Of Viktor Steinmann
Sent: Thursday, January 31, 2019 12:29 PM
To: swinog@lists.swinog.ch
Subject: [EXTERNAL] Re: [swinog] JunOS Filter Question
Dear SwiNOGers
Thank you for all the off-list answers.
Problem is solved. PEBKAC.
Kind regards,
Viktor
On 30.01.2019 14:43, Viktor Steinmann wrote:
> Dear SwiNOGers
>
> I'm new to JunOS. I like this OS so far, but I'm having a hard time,
> securing this stuff...
>
> Something's wrong in my JunOS filters... Basically I want to block
> everyone from accessing the interface on the router itself, but I want
> to allow traffic to pass the interface. Somehow that doesn't work. See
> below the (relevant) configuration parts:
>
> interfaces {
> xe-0/1/2 {
> description blabla;
> vlan-tagging;
> }
> unit 100 {
> description Blabla;
> vlan-id 100;
> family inet {
> filter {
> input INTERFACE-INCOMING;
> }
> address 192.168.1.1/24
> }
> }
> }
>
>
> policy-options {
> prefix-list MYINTERFACE {
> 192.168.1.1/32;
> }
> }
>
> firewall {
> family inet {
> filter INTERFACE-INCOMING {
> term WAN-ADDRESS {
> from {
> destination-prefix-list {
> MYINTERFACE;
> }
> }
> then {
> discard;
> }
> }
> term ALLOW-ALL {
> then accept;
> }
> }
> }
> }
>
>
> Anybody with a hint, why this filter doesn't actually block traffic to
> 192.168.1.1? I can still ping it.
>
> Kind regards,
>
> Viktor
>
>
>
> _______________________________________________
> swinog mailing list
> swinog@lists.swinog.ch
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cg
> i-2Dbin_mailman_listinfo_swinog&d=DwIGaQ&c=gxW9PgscCAGwFImBgfkGkoANogu
> 61GVPNv0sglxAtik&r=iP8sTuVRgAcKV3rX1un4bVjVf0zAfdC0fBAbdM6SSuw&m=MgI1s
> mDIyOcO3c5VmHqWhbuQqXW0ad_ishglRA2BN5I&s=5GfoVqD-u9mGMj-U7NBH5djD_T9us
> tSe2k4e9iZ_oUo&e=
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.swinog.ch_cgi-2Dbin_mailman_listinfo_swinog&d=DwIGaQ&c=gxW9PgscCAGwFImBgfkGkoANogu61GVPNv0sglxAtik&r=iP8sTuVRgAcKV3rX1un4bVjVf0zAfdC0fBAbdM6SSuw&m=MgI1smDIyOcO3c5VmHqWhbuQqXW0ad_ishglRA2BN5I&s=5GfoVqD-u9mGMj-U7NBH5djD_T9ustSe2k4e9iZ_oUo&e=
This email is from Equinix (EMEA) B.V. or one of its associated companies in
the territory from where this email has been sent. This email, and any files
transmitted with it, contains information which is confidential, is solely for
the use of the intended recipient and may be legally privileged. If you have
received this email in error, please notify the sender and delete this email
immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA
Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
