Re: Firewall filter to restrict traffic for one interface

Hi, 

______________________________________________________________________________________________

You're saying to specify 192.168.1.66/32 as the source- address for an output filter, but that is backwards.  An output filter is for traffic going out of an interface, so it should use destination-address.  Likewise, the input filter should use source-address. 

______________________________________________________________________________________________

The filter should be viewed from the perspective of the interface it is being applied on. An output filter is indeed for traffic going out of an interface, likewise an input filter is for traffic coming into an interface.

source-address & destination-address are matching conditions used in the filter, which basically inspects the packet going through that interface [In or out depending on direction filter is applied].

If matching condition is 'from source-address', the filter will look at Src IP address field in the IP header.

Similarly, if matching condition is 'from destination-address', the filter will look at Dst IP address field in the IP header.

Assuming NAS has an IP address 192.168.1.65, packets from the NAS to 192.168.1.66 coming into port ge-0/0/5 [input filter] will have IP headers:

Src IP: 192.168.1.65, Dst IP: 192.168.1.66.

NAS-Inbound Filter evaluation: 

if src ip == 192.168.1.66/32 -> accept [Result = False]
Else -> reject

This is why your initial NAS-Inbound filter was blocking all traffic.

Proposed Option 2 Filter evaluation:

if dst ip == 192.168.1.66/32 -> accept [Result = True]
Else -> Reject

This should work.

An input or output filter should be able to use any of the matching conditions you listed.

A filter can have a combination of matching conditions as well. Example:

from {
  source-address x.x.x.x/x;
  destination-address y.y.y.y/y;
  ......
}

That allows the term provide more granular filtering as the different matching conditions are logical ANDs.

Would suggest if you could try again either Option 1 or Option2.

With regards to Option 1 or Option 2, there are considerations whether to apply input or output filter depending on the requirement of what is being protected/secured. If the NAS is the device that is being secured, an input filter on ge-0/0/5 will block outgoing traffic from the NAS [could be traffic originated from NAS or reply packets].

If an output filter is applied, any traffic intended to the NAS except the listed IPs in the filter will be blocked. Say for instance a DoS attack is targeting the NAS, an output filter on ge-0/0/5 is more effective.

Hope this helps.

Cheers,

Ashvin