SRX basic rules question. Please clarify



  • Hi,

    Basic question
    I want to test port availability by telnet from host 10.10.1.1 to host 10.10.2.1 by port 80

    Port 80 is open on 10.10.2.1

    What I’m doing
    10.10.1.1>telnet 10.10.2.1 80

    Diagram:
    <10.10.1.1>–trusted LAN—<srx_firewall>—untrusted LAN—<10.10.2.1>

    Will below config allow telnet and open port or this should be bidirectional configuration?
    Meaning I have to allow 10.10.2.1 through firewall to go to 10.10.1.1

    Initator of the connection is 10.10.1.1

    set security zones security-zone trust address-book address host 10.10.1.1 10.10.1.1/32

    set security policies from-zone trust to-zone untrust policy v1 match source-address host_10.10.1.1
    set security policies from-zone trust to-zone untrust policy v1 match destination-address net 10.10.2.1
    set security policies from-zone trust to-zone untrust policy v1 match application tcp_80
    set security policies from-zone trust to-zone untrust policy v1 then permit

    THank you</srx_firewall>



  • The firewall is stateful.

    There is no need for a reverse policy. It’s the magic of the modern world.  :mrgreen:

    I mean, why would you require a return rule?  As does the client machine listen on port 80?



  • I have never configured a line of Junos code.

    Now I have mentioned that, I wanted to add to this thread the comment that the SRX as far as I am aware is a stateful firewall just like a Netscreen, CheckPoint or Cisco (which I’ve configured all of). For each of these other stateful firewalls there is no need to explicitly allow return traffic in the form of an additional firewall rule in the opposite direction. That is the difference between a modern firewall and a traditional router which only supports stateless ACLs.

    So while I can’t help you with your configuration, I would say it is unlikely you need to add a rule to allow the return traffic.



  • Yes i am sure.

    Is this the entire config of your firewall ?
    show us the rest.



  • Are you sure? because my firewall admin configured this as it is above



  • Hello,

    yes you need to put the opposite policy olso in order that the srx would be able to bring back the traffic to the source host.

    Good day.


 

34
Online

38.5k
Users

12.7k
Topics

44.5k
Posts