Difference between revisions of "Firewalling With Multiple Loopbacks"

Normal practice with Juniper gear is to apply your system-level firewall to interface lo0.0 (loopback 0, unit 0). Be very careful when creating additional loopbacks and using them with routing instances, as you may not get the firewalling you expected!

Here are the scenarios and results:

• Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has Filter1 applied.
  • The VRF will use Filter1
• Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has no filter applied.
  • The VRF will not use a filter!
• Interface lo0.0 is in your global table and has Filter0 applied. The VRF has no loopback interface configured.
  • The VRF uses Filter0

To prevent mishaps, create the following apply group:

groups {
    APPLY_FIREWALL_TO_ALL_LOOPBACKS {
        /* If you create a loopback unit for a VRF and don't apply a filter, it won't use the default system firewall. This will apply the default system firewall. */
        interfaces {
            lo0 {
                unit <*> {
                    family inet {
                        filter {
                            input YOURFIREWALLNAMEHERE;
                        }
                    }
                }
            }
        }
    }
}

And apply it to your interface lo0

set interfaces lo0 apply-groups APPLY_FIREWALL_TO_ALL_LOOPBACKS