Difference between revisions of "Firewalling With Multiple Loopbacks"
Jump to navigation
Jump to search
| (6 intermediate revisions by the same user not shown) | |||
| Line 15: | Line 15: | ||
groups { | groups { | ||
APPLY_FIREWALL_TO_ALL_LOOPBACKS { | APPLY_FIREWALL_TO_ALL_LOOPBACKS { | ||
| − | /* | + | /* This will apply the default system firewall to any loopbacks added to a VRF that don't have a filter applied. |
| + | If you need to remove the firewall from one unit, use this command: apply-groups-except APPLY_FIREWALL_TO_ALL_LOOPBACKS*/ | ||
interfaces { | interfaces { | ||
lo0 { | lo0 { | ||
| Line 22: | Line 23: | ||
filter { | filter { | ||
input YOURFIREWALLNAMEHERE; | input YOURFIREWALLNAMEHERE; | ||
| − | + | }}}}}}}</PRE> | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | } | ||
| − | </PRE> | ||
And apply it to your interface lo0 | And apply it to your interface lo0 | ||
| Line 35: | Line 29: | ||
set interfaces lo0 apply-groups APPLY_FIREWALL_TO_ALL_LOOPBACKS | set interfaces lo0 apply-groups APPLY_FIREWALL_TO_ALL_LOOPBACKS | ||
</PRE> | </PRE> | ||
| + | |||
| + | |||
| + | If you have IPv6 on your gear, you can include it in the apply group: | ||
| + | <PRE> | ||
| + | groups { | ||
| + | APPLY_FIREWALL_TO_ALL_LOOPBACKS { | ||
| + | /* This will apply the default system firewall to any loopbacks added to a VRF that don't have a filter applied. | ||
| + | If you need to remove the firewall from one unit, use this command: apply-groups-except APPLY_FIREWALL_TO_ALL_LOOPBACKS*/ | ||
| + | interfaces { | ||
| + | lo0 { | ||
| + | unit <*> { | ||
| + | family inet { | ||
| + | filter { | ||
| + | input YOURFIREWALLNAMEHERE; | ||
| + | } | ||
| + | } | ||
| + | family inet6 { | ||
| + | filter { | ||
| + | input YOURFIREWALLNAMEHERE-V6; | ||
| + | }}}}}}}</PRE> | ||
Latest revision as of 10:45, 26 May 2025
Normal practice with Juniper gear is to apply your system-level firewall to interface lo0.0 (loopback 0, unit 0). Be very careful when creating additional loopbacks and using them with routing instances, as you may not get the firewalling you expected!
Here are the scenarios and results:
- Interface lo0.0 is in your global table and has Filter0 applied. The VRF has no loopback interface configured.
- The VRF uses Filter0
- Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has Filter1 applied.
- The VRF will use Filter1
- Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has no filter applied.
- The VRF will not use a filter!
To prevent mishaps, create the following apply group:
groups {
APPLY_FIREWALL_TO_ALL_LOOPBACKS {
/* This will apply the default system firewall to any loopbacks added to a VRF that don't have a filter applied.
If you need to remove the firewall from one unit, use this command: apply-groups-except APPLY_FIREWALL_TO_ALL_LOOPBACKS*/
interfaces {
lo0 {
unit <*> {
family inet {
filter {
input YOURFIREWALLNAMEHERE;
}}}}}}}
And apply it to your interface lo0
set interfaces lo0 apply-groups APPLY_FIREWALL_TO_ALL_LOOPBACKS
If you have IPv6 on your gear, you can include it in the apply group:
groups {
APPLY_FIREWALL_TO_ALL_LOOPBACKS {
/* This will apply the default system firewall to any loopbacks added to a VRF that don't have a filter applied.
If you need to remove the firewall from one unit, use this command: apply-groups-except APPLY_FIREWALL_TO_ALL_LOOPBACKS*/
interfaces {
lo0 {
unit <*> {
family inet {
filter {
input YOURFIREWALLNAMEHERE;
}
}
family inet6 {
filter {
input YOURFIREWALLNAMEHERE-V6;
}}}}}}}