Packet filtering setting by which packets' source IP port number is set as a condition

Operation Confirmed version: vSRX Version15.1X49-D105.1, vSRX Version19.2R1.8, vSRX Version20.4R2

For vSRX , setting for packet filtering can be made. Filter settings by which a source port number is set as a condition are described.

Setting for rejecting communications to a specific source port number

This setting rejects communications (packets) to a specific port number with the interface of the Firewall and forwards communications to other port numbers.

Presumed case for sample setting

  • To reject communications whose source port number is 22 (SSH reply packet)

  • To accept and forward all communications whose source port number is not 22

  • To enable traffic which is input to interface (ge-0/0/2)

vsrx_srcport_fig1

Setting flow in a presumed case

1.Set the packet filtering setting name as SSH.
2.Set the policy for rejecting packets whose source port number is 22, as TERM1.
3.Set the policy for accepting packets whose source port number is not 22, as TERM2.
4.Apply to the incoming direction with respect to interface (ge-0/0/2).

Command to be entered with CLI

user01@vSRX-02# set firewall filter SSH term TERM1 from protocol tcp
user01@vSRX-02# set firewall filter SSH term TERM1 from source-port 22
user01@vSRX-02# set firewall filter SSH term TERM1 then discard
user01@vSRX-02# set firewall filter SSH term TERM2 then accept
user01@vSRX-02# set interfaces ge-0/0/2 unit 0 family inet filter input SSH

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/2 {
        unit 0 {
            family inet {
                filter {
                    input SSH;
                }
                address 192.168.3.102/24;
            }
        }
    }
}
firewall {
    filter SSH {
        term TERM1 {
            from {
                protocol tcp;
                source-port 22;
            }
            then {
                discard;
            }
        }
        term TERM2 {
            then accept;
        }
    }
}

Operation check result

The verification result log below allowed to confirm that the packet filtering function works because PING communications from virtual server (192.168.2.12) in the verification configuration diagram to virtual server (192.168.3.13) succeeded but SSH communications failed.

[user01@centsv-02 ~]$ ssh user01@192.168.3.13
^C
[user01@centsv-02 ~]$
[user01@centsv-02 ~]$ ping 192.168.3.203 -c 5
PING 192.168.3.203 (192.168.3.203) 56(84) bytes of data.
64 bytes from 192.168.3.203: icmp_seq=1 ttl=63 time=2.48 ms
64 bytes from 192.168.3.203: icmp_seq=2 ttl=63 time=0.968 ms
64 bytes from 192.168.3.203: icmp_seq=3 ttl=63 time=0.868 ms
64 bytes from 192.168.3.203: icmp_seq=4 ttl=63 time=0.926 ms
64 bytes from 192.168.3.203: icmp_seq=5 ttl=63 time=0.910 ms
--- 192.168.3.203 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.868/1.231/2.483/0.626 ms
[user01@centsv-02 ~]$

Setting for accepting communications to a specific source port number

This setting accepts only communications (packets) to a specific port number and rejects other communications with the interface of the Firewall.

Presumed case for sample setting

  • To forward communications whose source port number is 22 (SSH reply packet)

  • To reject all communications whose source port numbers are not 22

  • To enable traffic which is input to interface (ge-0/0/2)

vsrx_srcport_fig2

Setting flow in a presumed case

1.Set the packet filtering setting name as SSH.
2.Set the policy for accepting packets whose source port number is 22, as TERM1
3.Set the policy for rejecting packets whose source port number is not 22, as TERM2
4.Apply to the incoming direction with respect to interface (ge-0/0/2).

Command to be entered with CLI

user01@vSRX-02# set firewall filter SSH term TERM1 from protocol tcp
user01@vSRX-02# set firewall filter SSH term TERM1 from source-port 22
user01@vSRX-02# set firewall filter SSH term TERM1 then accept
user01@vSRX-02# set firewall filter SSH term TERM2 then discard
user01@vSRX-02# set interfaces ge-0/0/2 unit 0 family inet filter input SSH

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/2 {
        unit 0 {
            family inet {
                filter {
                    input SSH;
                }
                address 192.168.3.102/24;
            }
        }
    }
}
firewall {
    filter SSH {
        term TERM1 {
            from {
                protocol tcp;
                source-port 22;
            }
            then accept;
        }
        term TERM2 {
            then {
                discard;
            }
        }
    }
}

Operation check result

The verification result log below allowed to confirm that the packet filtering function works because SSH communications from virtual server (192.168.2.12) in the verification configuration diagram to virtual server (192.168.3.13) succeeded but Ping communications from virtual server (192.168.2.12) to virtual router (192.168.3.203) failed.

[user01@centsv-02 ~]$ ping 192.168.3.203 -c 5
PING 192.168.3.203 (192.168.3.203) 56(84) bytes of data.

--- 192.168.3.203 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

[user01@centsv-02 ~]$ ssh user01@192.168.3.13
user01@192.168.3.13's password:
Last login: Mon Sep 25 07:40:57 2017 from 192.168.2.202
Thanks for using Official Template (CentOS).

====================================================
* Time Zone *
   Default TimeZone is UTC.

* Stack (Application Set) *
   Default install apps is following.
     - chrony
     - acpid
     - cloud-init

   You can update those apps to latest version with
     #yum update

* To Change this message *
   please edit "/etc/motd".
====================================================
[user01@centsv-03 ~]$

Rejection setting using source port numbers (port number range specification)

This setting rejects only communications to a specified range of source port numbers with the interface of the Firewall and forwards other communications.

Presumed case for sample setting

  • To reject only communications whose source port number is 22 or 23

  • To forward all communications whose source port number is not 22 or 23

  • To enable traffic which is input to interface (ge-0/0/1)

vsrx_srcport_fig3

Setting flow in a presumed case

1.Set the packet filtering setting name as Return_SSH_TELNET_DENY
2.Set the policy for rejecting packets whose source port number is 22 or 23, as term 1
3.Set the policy for accepting packets whose port number is not 22 or 23, as term 2
4.Apply to the incoming direction with respect to interface (ge-0/0/1).

Command to be entered with CLI

user01@vSRX-02# set firewall filter Return_SSH_TELNET_DENY term 1 from protocol tcp
user01@vSRX-02# set firewall filter Return_SSH_TELNET_DENY term 1 from source-port 22-23
user01@vSRX-02# set firewall filter Return_SSH_TELNET_DENY term 1 then discard
user01@vSRX-02# set firewall filter Return_SSH_TELNET_DENY term 2 then accept
user01@vSRX-02# set interfaces ge-0/0/1 unit 0 family inet filter input Return_SSH_TELNET_DENY

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/1 {
           unit 0 {
               family inet {
                   filter {
                       input Return_SSH_TELNET_DENY;
                   }
                   address 192.168.2.102/24;
               }
           }
    }
}
firewall {
    filter Return_SSH_TELNET_DENY {
           term 1 {
               from {
                   protocol tcp;
                   source-port 22-23;
               }
               then {
                   discard;
               }
           }
           term 2 {
               then accept;
           }
    }
}

Operation check result

The verification result log below allowed to confirm that the packet filtering function works because communications from virtual router (192.168.1.201) in the verification configuration diagram to port number 80 of virtual router (192.168.2.202) succeeded but communications from virtual router (192.168.1.201) to port numbers 22 or 23 of virtual router (192.168.2.202) failed.

user01@vRouter-01:~$ wget http://192.168.2.202
--2017-09-28 03:43:29--  http://192.168.2.202/
Connecting to 192.168.2.202:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1057 (1.0K) [text/html]
Saving to: ‘index.html’

index.html            0%[                      ]       0  --.-KB/s
index.html          100%[=====================>]   1.03K  --.-KB/s   in 0s

2017-09-28 03:43:29 (113 MB/s) - ‘index.html’ saved [1057/1057]


user01@vRouter-01:~$ ssh user01@192.168.2.202
^C
user01@vRouter-01:~$
user01@vRouter-01:~$ telnet 192.168.2.202

Trying 192.168.2.202...
^C
user01@vRouter-01:~$

Acceptance setting using source port numbers (port number range specification)

This setting accepts only communications whose source port numbers is in the specified range and rejects other communications with the interface of the Firewall.

Presumed case for sample setting

  • To forward only communications whose source port number is 22 or 23

  • To reject all communications whose source port number is not 22 or 23

  • To enable traffic which is input to interface (ge-0/0/1)

vsrx_srcport_fig4

Setting flow in a presumed case

1.Set the packet filtering setting name as Return_SSH_TELNET_PERMIT.
2.Set the policy for accepting packets whose source port number is 22 or 23, as term 1.
3.Set the policy for rejecting packets whose source port number is not 22 or 23, as term 2.
4.Apply to the incoming direction with respect to interface (ge-0/0/1).

Command to be entered with CLI

user01@vSRX-02# set firewall filter Return_SSH_TELNET_PERMIT term 1 from protocol tcp
user01@vSRX-02# set firewall filter Return_SSH_TELNET_PERMIT term 1 from source-port 22-23
user01@vSRX-02# set firewall filter Return_SSH_TELNET_PERMIT term 1 then accept
user01@vSRX-02# set firewall filter Return_SSH_TELNET_PERMIT term 2 then discard
user01@vSRX-02# set interfaces ge-0/0/1 unit 0 family inet filter input Return_SSH_TELNET_PERMIT

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/1 {
           unit 0 {
               family inet {
                   filter {
                       input Return_SSH_TELNET_PERMIT;
                   }
                   address 192.168.2.102/24;
               }
           }
    }
}
firewall {
    filter Return_SSH_TELNET_PERMIT {
        term 1 {
            from {
                protocol tcp;
                source-port 22-23;
            }
            then accept;
        }
        term 2 {
            then {
                discard;
            }
        }
    }
}

Operation check result

The verification result log below allowed to confirm that the packet filtering function works because communications from virtual router (192.168.1.201) in the verification configuration diagram to port number 22 or 23 of virtual router (192.168.2.202) succeeded but communications to Ping and wget (port number: 80) failed.

Results of SSH and TELNET access from virtual router (192.168.1.201) to virtual router (192.168.2.202)

user01@vRouter-01:~$ ssh user01@192.168.2.202
Welcome to Brocade Vyatta Network OS

user01@192.168.2.202's password:
Welcome to Brocade Vyatta Network OS
Version:      5.2R4
Description:  Brocade Vyatta Network OS 5600 5.2R4 Standard
Last login: Thu Sep 28 03:32:37 2017 from 192.168.1.201
user01@vRouter-02:~$
user01@vRouter-02:~$ exit
logout
Connection to 192.168.2.202 closed.
user01@vRouter-01:~$
user01@vRouter-01:~$ telnet 192.168.2.202
Trying 192.168.3.203...
Connected to 192.168.2.202.
Escape character is '^]'.

Welcome to Brocade Vyatta Network OS

vRouter-02 login: user01
Password:
Welcome to Brocade Vyatta Network OS
Version:      5.2R4
Description:  Brocade Vyatta Network OS 5600 5.2R4 Standard
user01@vRouter-02:~$

Results of Ping and wget (port number: 80) communications from virtual router (192.168.1.201) to virtual server (192.168.2.12)

user01@vRouter-01:~$ ping 192.168.2.12 count 5
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.

--- 192.168.2.12 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4004ms

user01@vRouter-01:~$
user01@vRouter-01:~$ wget http://192.168.2.202
--2017-09-28 03:51:44--  http://192.168.2.202/
Connecting to 192.168.2.202:80...
^C
user01@vRouter-01:~$