SRX firewall filter

There are several ways of blocking certain type of traffic. One of them is a firewall filter. You may be asking why to use firewall filter instead of a security policy. The reason is firewall filter is at the very early stage of packet processing and it needs less processing power than security policies. You can take a look at srx firewall packet flow diagram if you wish.

Another important facet of these filters is they are stateless. It does have no session intelligence. Below is a sample firewall filter to reject incoming icmp echo packets from 192.168.0.101/32 address on vlan.10 interface:

1) First set firewall filter named block_icmp

[edit]
root@hub# show firewall
filter block_icmp {
    term 1 {
        from {
            source-address {
                192.168.0.101/32;
            }
            icmp-type echo-request;
        }
        then {
            count count_icmp;
            reject;
        }
    }
    term 2 {
        then accept;
    }
}

WARNING: One of the most important point that we must keep in mind is that there is an implicit drop of packets. If you don’t put an “accept” statement, you will block everything.

2) Second step of firewall filter is to apply the filter on an interface which is vlan.10 in our example.

[edit]
root@hub# show interfaces vlan.10
family inet {
    filter {
        input block_icmp;
    }
    address 192.168.0.1/24;
}

Once you commit this changes, your icmp echo packets from 192.168.0.101 will be rejected with icmp type 3 (Destination unrechable) and Code 13 (Communication administratively filtered)

3) Counting packets

You might have noticed the count option in the filter. As the name implies, it is to count the packets processed in this filter. To see the counters;

[edit]
root@hub# run show firewall filter counter count_icmp block_icmp

Filter: block_icmp
Counters:
Name                                                Bytes              Packets
count_icmp                                          14028                  167

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading