Discussion:
[j-nsp] Quick SRX host-inbound Question
Levi Pederson
2015-11-17 17:18:19 UTC
Permalink
All,

I have a quick question on host-inbound-traffic system-services on an SRX
Platform using 12.1

I thought you could create your own "service" and apply ports to that
specifically

I'm running into an issue where I don't want to allow-all on the
host-inbound but I do need a fair amount of unlisted ports to still
maintain access.

Does anyone remember if this is possible. Still sorting through
documentation to validate my memory.

Thank you,

*Levi Pederson*
Mankato Networks LLC
cell | 612.481.0769
work | 612.787.7392
***@mankatonetworks.net
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Wayne Lee via juniper-nsp
2015-11-17 17:52:11 UTC
Permalink
Post by Levi Pederson
Does anyone remember if this is possible. Still sorting through
documentation to validate my memory.
Thank you,
Yes you can configure a custom application and application-set with your
port ranges and apply that to a policy.


Regards


Wayne
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Hugo Slabbert
2015-11-17 18:13:56 UTC
Permalink
Post by Wayne Lee via juniper-nsp
Post by Levi Pederson
I thought you could create your own "service" and apply ports to that
specifically
I'm running into an issue where I don't want to allow-all on the
host-inbound but I do need a fair amount of unlisted ports to still
maintain access.
Does anyone remember if this is possible. Still sorting through
documentation to validate my memory.
Thank you,
Yes you can configure a custom application and application-set with your
port ranges and apply that to a policy.
That's for security policy, not host-inbound-traffic. For
host-inbound-traffic, you are limited to the pre-configured system-services
and protocols made available by JunOS:

http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/specifications/zone-host-inbound-traffic-system-service-supported.html

If you want to allow something to the RE that's not listed in there, you'd
have to allow all and then filter it down with a stateless filter on the
loopback in the relevant routing-instance to control traffic to the RE, as
per
http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-stateless-basic-uses-for.html#jd0e63

But: host-inbound-traffic is for traffic destined for the RE, meaning
services or protocols running on the RE. What unlisted ports are you
talking about that are for services/protocols running on the RE but which
are not available under host-inbound-traffic under either system-services
or protocols?

If you're talking about traffic transiting the SRX, then yes: custom
application and/or application-set definitions + security policies would be
your weapon of choice. Note that you can be exposing absolutely *zero*
services or protocols under host-inbound-traffic while still allowing
through anything else you want in terms of transit traffic via security
policies.
Post by Wayne Lee via juniper-nsp
Regards
Wayne
--
Hugo

***@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on Signal)
Michael Gehrmann
2015-11-17 22:03:46 UTC
Permalink
You might have better luck with the junos-host zone.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227&actp=search
On Tue 2015-Nov-17 17:52:11 +0000, Wayne Lee via juniper-nsp <
I thought you could create your own "service" and apply ports to that
Post by Wayne Lee via juniper-nsp
Post by Levi Pederson
specifically
I'm running into an issue where I don't want to allow-all on the
host-inbound but I do need a fair amount of unlisted ports to still
maintain access.
Does anyone remember if this is possible. Still sorting through
documentation to validate my memory.
Thank you,
Yes you can configure a custom application and application-set with your
port ranges and apply that to a policy.
That's for security policy, not host-inbound-traffic. For
host-inbound-traffic, you are limited to the pre-configured system-services
http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/specifications/zone-host-inbound-traffic-system-service-supported.html
If you want to allow something to the RE that's not listed in there, you'd
have to allow all and then filter it down with a stateless filter on the
loopback in the relevant routing-instance to control traffic to the RE, as
per
http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-stateless-basic-uses-for.html#jd0e63
But: host-inbound-traffic is for traffic destined for the RE, meaning
services or protocols running on the RE. What unlisted ports are you
talking about that are for services/protocols running on the RE but which
are not available under host-inbound-traffic under either system-services
or protocols?
If you're talking about traffic transiting the SRX, then yes: custom
application and/or application-set definitions + security policies would be
your weapon of choice. Note that you can be exposing absolutely *zero*
services or protocols under host-inbound-traffic while still allowing
through anything else you want in terms of transit traffic via security
policies.
Post by Wayne Lee via juniper-nsp
Regards
Wayne
--
Hugo
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
(also on Signal)
_______________________________________________
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Hugo Slabbert
2015-11-17 22:17:35 UTC
Permalink
Post by Michael Gehrmann
You might have better luck with the junos-host zone.
...I knew there was something I forgot...thanks!
--
Hugo
Post by Michael Gehrmann
http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227&actp=search
Loading...