Bonjour !
I have a strange behaviour with a firewall filter on EX4300. This firewall filter is configured on the loopback interface. The switch, which is also playing a router function (inter-vlan and OSPF), is the gateway of many vlans (8 vlans). The firewall filter allow many OSPF, SSH, SNMP and other management protocols. At the end of the firewall, I have a term which drop UDP and an other one TCP, and then the default explicit discard term.
I don't understand why the filter drops UPD or TCP trafic not destinated to the switch routing-engine but to host belonging to differents vlans hosted by the switch. It drops also traffic from an external source (learn by ospf) and a host on some vlan.
Here are some output :
From the output below, you can see that the firwall filter drop traffic from source address 10.70.100.117 (external source learn with OSPF) and destination address 10.60.113.179 (vlan 112 => switch IP : 10.60.112.1/23)
admin@EX4300> show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 22:57:27 pfe D ge-1/0/31.0 UDP 10.70.100.117 10.60.113.179 22:57:14 pfe D ge-1/0/31.0 UDP 10.70.100.117 10.60.113.179 22:57:03 pfe D ge-1/0/31.0 UDP 10.70.100.117 10.60.113.179 22:54:10 pfe D ge-1/0/31.0 UDP 10.70.100.117 10.60.113.179 22:53:57 pfe D ge-1/0/31.0 UDP 10.70.100.117 10.60.113.179 22:53:46 pfe D ge-1/0/31.0 UDP 10.70.100.117 10.60.113.179
By clearing the log and firewall stats, I saw the drop was made by the term DISCARD-UDP
admin@EX4300> show firewall filter ACCESS-CONTROL
Filter: ACCESS-CONTROL
Counters:
Name Bytes Packets
ACCEPT-DNS 0 0
ACCEPT-ICMP 4590 45
ACCEPT-NTP 188 2
ACCEPT-SNMP 7929 45
ACCEPT-SSH 86914 1063
ACCEPT-TRACEROUTE-ICMP 0 0
ACCEPT-TRACEROUTE-UDP 0 0
DISCARD-ALL-TTL_1-UNKNOWN 0 0
DISCARD-ICMP 0 0
DISCARD-IP-OPTIONS 0 0
DISCARD-NETBIOS 0 0
DISCARD-SLP 0 0
DISCARD-SSDP 6815 18
DISCARD-TCP 0 0
DISCARD-UDP 522 6
DISCARD-UNKNOWN 0 0
NO-ICMP-FRAG 0 0
Policers:
Name Bytes Packets
LIMIT-1M-ACCEPT-DHCP-RELAY 0 0
LIMIT-1M-ACCEPT-DNS 0 0
LIMIT-1M-ACCEPT-NTP 0 0
LIMIT-1M-ACCEPT-TRACEROUTE-ICMP 0 0
LIMIT-1M-ACCEPT-TRACEROUTE-UDP 0 0
LIMIT-5M-ACCEPT-ICMP 0 0
LIMIT-5M-ACCEPT-SNMP 0 0
LIMIT-5M-ACCEPT-SSH 0 0
LIMIT-5M-ACCEPT-SSH-SFR-TMP 0 0
If you look at the firewall filter term DISCARD-UDP configuration, it doesn't not include any interface reference:
term DISCARD-UDP {
from {
protocol udp;
}
then {
count DISCARD-UDP;
log;
discard;
}
}From my understanding, Firewall filters applied to the loopback interface affect the local packets destined for or transmitted from the Routing Engine. So why this traffic is dropped ?
The firewall filter:
firewall {
family inet {
filter ACCESS-CONTROL {
term DISCARD-IP-OPTIONS {
from {
ip-options any;
}
then {
count DISCARD-IP-OPTIONS;
log;
discard;
}
}
term NO-ICMP-FRAGMENTS {
from {
is-fragment;
protocol icmp;
}
then {
count NO-ICMP-FRAG;
log;
discard;
}
}
term ACCEPT-OSPF {
from {
source-prefix-list {
ROUTER-IPV4;
}
destination-prefix-list {
OSPF-ADDRESS;
ROUTER-IPV4;
}
protocol ospf;
}
then accept;
}
term ACCEPT-SSH {
from {
source-prefix-list {
SSH-LIST;
}
protocol tcp;
destination-port ssh;
}
then {
policer LIMIT-5M;
count ACCEPT-SSH;
accept;
}
}
term ACCEPT-SSH-SFR-TMP {
from {
source-address {
10.0.0.0/8;
}
destination-address {
10.0.0.0/8;
}
protocol tcp;
}
then {
policer LIMIT-5M;
count ACCEPT-SSH;
accept;
}
}
term ACCEPT-SNMP {
from {
source-prefix-list {
SNMP-CLIENT-LISTS;
SNMP-COMMUNITY-CLIENTS;
}
destination-prefix-list {
LOOPBACK;
}
protocol udp;
destination-port snmp;
}
then {
policer LIMIT-5M;
count ACCEPT-SNMP;
accept;
}
}
term ACCEPT-NTP {
from {
source-prefix-list {
NTP-SERVER;
NTP-BOOT-SERVER;
}
destination-prefix-list {
LOOPBACK;
}
protocol udp;
destination-port ntp;
}
then {
policer LIMIT-1M;
count ACCEPT-NTP;
accept;
}
}
term ACCEPT-TRACEROUTE-UDP {
from {
protocol udp;
ttl 1;
destination-port 33435-33450;
}
then {
policer LIMIT-1M;
count ACCEPT-TRACEROUTE-UDP;
accept;
}
}
term ACCEPT-TRACEROUTE-ICMP {
from {
protocol icmp;
ttl 1;
icmp-type [ echo-request timestamp time-exceeded ];
}
then {
policer LIMIT-1M;
count ACCEPT-TRACEROUTE-ICMP;
accept;
}
}
term ACCEPT-TACAS {
from {
source-prefix-list {
TACAS-SERVERS;
}
destination-prefix-list {
LOOPBACK;
}
protocol [ tcp udp ];
source-port [ tacacs tacacs-ds ];
tcp-established;
}
then {
policer LIMIT-1M;
count ACCEPT-TACAS;
accept;
}
}
term ACCEPT-DNS {
from {
source-prefix-list {
DNS-SERVERS;
}
destination-prefix-list {
LOOPBACK;
}
protocol [ udp tcp ];
source-port 53;
}
then {
policer LIMIT-1M;
count ACCEPT-DNS;
accept;
}
}
term ACCEPT-DHCP-RELAY {
from {
source-prefix-list {
DHCP-SERVERS;
}
protocol udp;
destination-port 67;
}
then {
policer LIMIT-1M;
accept;
}
}
term ACCEPT-ICMP {
from {
protocol icmp;
icmp-type [ echo-reply echo-request time-exceeded unreachable source-quench router-advertisement parameter-problem ];
}
then {
policer LIMIT-5M;
count ACCEPT-ICMP;
accept;
}
}
term DISCARD-TTL_1-UNKNOWN {
from {
ttl 1;
}
then {
count DISCARD-ALL-TTL_1-UNKNOWN;
log;
discard;
}
}
term DISCARD-TCP {
from {
protocol tcp;
}
then {
count DISCARD-TCP;
log;
discard;
}
}
term DISCARD-NETBIOS {
from {
protocol udp;
destination-port 137;
}
then {
count DISCARD-NETBIOS;
log;
discard;
}
}
term DISCARD-UDP {
from {
protocol udp;
}
then {
count DISCARD-UDP;
log;
discard;
}
}
term DISCARD-ICMP {
from {
protocol icmp;
}
then {
count DISCARD-ICMP;
log;
discard;
}
}
term DISCARD-UNKNOWN {
then {
count DISCARD-UNKNOWN;
log;
discard;
}
}
}
}
policer LIMIT-1M {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 256k;
}
then discard;
}
policer LIMIT-5M {
if-exceeding {
bandwidth-limit 5m;
burst-size-limit 512k;
}
then discard;
}
policer LIMIT-10M {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1m;
}
then discard;
}
}
Thanks for your help !
--
Salah