Packet mode and host-inbound traffic
Did you know that if you enable packet-mode in traffic interface of an SRX box,
host inbound traffic isn’t allowed anymore? Device can still process transit traffic
but inbound traffic won’t work. For example, apply a filter like below to an interface
and try to SSH to IP 98.1.1.1, you shouldn’t be allowed.
#show interfaces
ge-0/0/2 {
unit 0 {
family inet {
filter {
input inet-packet-mode;
output inet-packet-mode;
}
address 98.1.1.1/24;
}
}
}
# top show firewall
family inet {
filter inet-packet-mode {
term 10 {
then {
packet-mode;
accept;
}
}
}
}
If you are wondering why: Documentation says that host-inbound traffic is only allowed
if it is sent to flow daemon for inspection.
PS: You can selectively exclude local IP from packet mode but here I just want to show the behavior change.
Great information… thanks! Here’s a good workaround:
policy-options {
prefix-list router-ipv4 {
apply-path “interfaces unit family inet address “;
}
prefix-list router-ipv4-logical-systems {
apply-path “logical-systems interfaces unit family inet address “;
}
prefix-list router-ipv6 {
apply-path “interfaces unit family inet6 address “;
}
prefix-list router-ipv6-logical-systems {
apply-path “logical-systems interfaces unit family inet6 address “;
}
}
firewall {
family inet {
filter inet-packet-mode {
term 5 {
from {
prefix-list {
router-ipv4;
router-ipv6;
router-ipv4-logical-systems;
router-ipv6-logical-systems;
}
}
then accept;
}
term 10 {
then {
packet-mode;
accept;
}
}
}
}
}