Note : The following syntax/configuration has been tested with a PPPoE setup.
Configure Addresses
First of all the addresses that are allowed management access to the device are configured. This also includes any DNS servers that your SRX will need use. This will prevent the return reponses from being denied.
set policy-options prefix-list permitted-ips [IP ADDRESS]/[SUBNET MASK]
Configure System Services
Next each of the system services that will be allowed inbound to the nessecary interfaces are defined.
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services dhcp
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services dns
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http
Configure Filter
Next we will define which IP`s are allowed access to which services.
set firewall filter admin-services-in term established from tcp-established
set firewall filter admin-services-in term established then accept
set firewall filter admin-services-in term allow_in from protocol udp
set firewall filter admin-services-in term allow_in from protocol tcp
set firewall filter admin-services-in term allow_in from protocol esp
set firewall filter admin-services-in term allow_in from port 500
set firewall filter admin-services-in term allow_in from port 4500
set firewall filter admin-services-in term allow_in from port 443
set firewall filter admin-services-in term allow_in from port dhcp
set firewall filter admin-services-in term allow_in then accept
set firewall filter admin-services-in term allow_in_ipv4_ping from protocol icmp
set firewall filter admin-services-in term allow_in_ipv4_ping from icmp-type echo-reply
set firewall filter admin-services-in term allow_in_ipv6_ping from protocol icmpv6
set firewall filter admin-services-in term allow_in_ipv6_ping from icmp-type echo-reply
set firewall filter admin-services-in term allow_ntp from destination-port 123
set firewall filter admin-services-in term deny_in from source-address 0.0.0.0/0
set firewall filter admin-services-in term deny_in from source-prefix-list permitted-ips except
set firewall filter admin-services-in term deny_in then count deny_count
set firewall filter admin-services-in term deny_in then syslog
set firewall filter admin-services-in term deny_in then discard
set firewall filter admin-services-in term accept_everything_else then accept
set firewall filter admin-services-out term allow-all then accept
Assign Filter
Finally the filter is assigned to the loopback interface.
Note : Each filter is assigned to the loopback address as this ensures that only management traffic (traffic to the box) is filtered.
set interfaces lo0 unit 0 family inet filter input admin-services-in
set interfaces lo0 unit 0 family inet filter output admin-services-out
Troubleshooting
Configure the log file
set system syslog file firewall firewall info
View Log
root@srx240l> show log firewall
Sep 1 22:30:14 srx240 clear-log[15397]: logfile cleared
Sep 2 01:51:44 srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0 D tcp 176.20.7.244 94.15.8.26 57837 34105 (1 packets)
Sep 2 01:51:53 srx240l last message repeated 2 times
Sep 2 12:35:06 srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0 D tcp 8.2.13.83 4.15.26.70 18978 22 (2 packets)
Sep 2 12:35:08 srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0 D tcp 82.132.19.83 94.15.26.70 18978 22 (2 packets)
Sep 2 12:35:11 srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0 D tcp 2.2.39.83 94.15.26.70 18978 22 (2 packets)
Sep 2 12:35:14 srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0 D tcp 2.12.19.83 94.1.2.70 18978 22 (1 packets)
Sep 2 12:35:16 srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0 D tcp 2.132.19.83 94.1.2.70 18978 22 (1 packets)
Sep 2 12:35:19 srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0 D tcp 2.132.13.206 94.1.26.70 21438 22 (3 packets)
Blogger Comment
Facebook Comment