Firewalling With Multiple Loopbacks
Jump to navigation
Jump to search
Normal practice with Juniper gear is to apply your system-level firewall to interface lo0.0 (loopback 0, unit 0). Be very careful when creating additional loopbacks and using them with routing instances, as you may not get the firewalling you expected!
Here are the scenarios and results:
- Interface lo0.0 is in your global table and has Filter0 applied. The VRF has no loopback interface configured.
- The VRF uses Filter0
- Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has Filter1 applied.
- The VRF will use Filter1
- Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has no filter applied.
- The VRF will not use a filter!
To prevent mishaps, create the following apply group:
groups {
APPLY_FIREWALL_TO_ALL_LOOPBACKS {
/* This will apply the default system firewall to any loopbacks added to a VRF that don't have a filter applied.
If you need to remove the firewall from one unit, use this command: apply-groups-except APPLY_FIREWALL_TO_ALL_LOOPBACKS*/
interfaces {
lo0 {
unit <*> {
family inet {
filter {
input YOURFIREWALLNAMEHERE;
}}}}}}}
And apply it to your interface lo0
set interfaces lo0 apply-groups APPLY_FIREWALL_TO_ALL_LOOPBACKS
If you have IPv6 on your gear, you can include it in the apply group:
groups {
APPLY_FIREWALL_TO_ALL_LOOPBACKS {
/* This will apply the default system firewall to any loopbacks added to a VRF that don't have a filter applied.
If you need to remove the firewall from one unit, use this command: apply-groups-except APPLY_FIREWALL_TO_ALL_LOOPBACKS*/
interfaces {
lo0 {
unit <*> {
family inet {
filter {
input YOURFIREWALLNAMEHERE;
}
}
family inet6 {
filter {
input YOURFIREWALLNAMEHERE-V6;
}}}}}}}