Difference between revisions of "Firewalling With Multiple Loopbacks"
Jump to navigation
Jump to search
| Line 23: | Line 23: | ||
filter { | filter { | ||
input YOURFIREWALLNAMEHERE; | input YOURFIREWALLNAMEHERE; | ||
| − | + | }}}}}}}</PRE> | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | } | ||
| − | </PRE> | ||
And apply it to your interface lo0 | And apply it to your interface lo0 | ||
Revision as of 10:31, 26 May 2025
Normal practice with Juniper gear is to apply your system-level firewall to interface lo0.0 (loopback 0, unit 0). Be very careful when creating additional loopbacks and using them with routing instances, as you may not get the firewalling you expected!
Here are the scenarios and results:
- Interface lo0.0 is in your global table and has Filter0 applied. The VRF has no loopback interface configured.
- The VRF uses Filter0
- Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has Filter1 applied.
- The VRF will use Filter1
- Interface lo0.0 is in your global table and has Filter0 applied. Interface lo0.1 is in a VRF and has no filter applied.
- The VRF will not use a filter!
To prevent mishaps, create the following apply group:
groups {
APPLY_FIREWALL_TO_ALL_LOOPBACKS {
/* If you create a loopback unit for a VRF and don't apply a filter, it won't use the default system firewall. This will apply the default system firewall.
If you need to remove the firewall from one unit, use this command: apply-groups-except APPLY_FIREWALL_TO_ALL_LOOPBACKS*/
interfaces {
lo0 {
unit <*> {
family inet {
filter {
input YOURFIREWALLNAMEHERE;
}}}}}}}
And apply it to your interface lo0
set interfaces lo0 apply-groups APPLY_FIREWALL_TO_ALL_LOOPBACKS