Difference between revisions of "Firewalling With Multiple Loopbacks"
Jump to navigation
Jump to search
(Created page with "Normal practice with Juniper gear is to apply your system-level firewall to interface lo0.0 (loopback 0, unit 0). Be very careful when creating additional loopbacks and using...") |
|||
| Line 9: | Line 9: | ||
* Interface lo0.0 is used in your global table and has Filter0 applied. The VRF has no loopback interface configured. | * Interface lo0.0 is used in your global table and has Filter0 applied. The VRF has no loopback interface configured. | ||
** The VRF uses Filter0 | ** The VRF uses Filter0 | ||
| + | |||
To prevent mishaps, create the following apply group: | To prevent mishaps, create the following apply group: | ||
Revision as of 17:32, 23 May 2025
Normal practice with Juniper gear is to apply your system-level firewall to interface lo0.0 (loopback 0, unit 0). Be very careful when creating additional loopbacks and using them with routing instances, as you may not get the firewalling you expected!
Here are the scenarios and results:
- Interface lo0.0 is used in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has Filter1 applied.
- The VRF will use Filter1
- Interface lo0.0 is used in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has no filter applied.
- The VRF will not use a filter!
- Interface lo0.0 is used in your global table and has Filter0 applied. The VRF has no loopback interface configured.
- The VRF uses Filter0
To prevent mishaps, create the following apply group:
groups {
APPLY_FIREWALL_TO_ALL_LOOPBACKS {
/* If you create a loopback unit for a VRF and don't apply a filter, it won't use the default system firewall. This will apply the default system firewall. */
interfaces {
lo0 {
unit <*> {
family inet {
filter {
input YOURFIREWALLNAMEHERE;
}
}
}
}
}
}
}
And apply it to your interface lo0
set interfaces lo0 apply-groups APPLY_FIREWALL_TO_ALL_LOOPBACKS