While exploring the configuration options on the Juniper SRX firewall, I stumbled upon the so-called firewall filters. These filters are not to be mistaken for the firewall policy rules. They are something different, but can be used for achieving similar goals.
In my case, I wanted to see if it was possible to quickly block a list of IP addresses (or subnets) without the hassle of creating addressbook entries (Address Sets). My list of IP addresses consists of known hosts that participate in the criminal ZeuS network. These IP addresses are either Command&Control servers or servers used to transfer (captured) data to. In any case, servers you don't want to communicate with.
The solution on the SRX is to create a firewall filter containing the list with hosts / networks. The filter, in my case, is applied to the outgoing interface (fe-0/0/0).
First, create the filter:
firewall {
family inet {
filter blocked.IP {
term 1 {
from {
prefix-list {
block.zeusCC;
unblock.zeusCC except;
}
}
then {
syslog;
discard;
}
}
term 2 {
then accept;
}
}
}
}
I called my filter blocked.IP. This filter 'reads' the filtered IP addresses from prefix-lists, which we'll take a look at later on. I used two prefix-lists for the following reason. The first list (block.zeusCC) contains the addresses to be blocked. the unblock.zeusCC list contains a subset of addresses that are to be allowed. This makes is possible to block entire subnets, but allow parts within that subnet to be accessed.
E.g. block 184.82.106.0/24, but allow (exception) 184.82.106.100/32
The discard statement discards the packet. As you can see, there's also a syslog entry in the filter. The reason for this is that this process takes place on a different level in the SRX. The normal firewall policy logging will show traffic ALLOWED to these blocked ip addresses. Even if it's blocked by the firewall filter. If you need/want logging for this, you need to add the syslog statement. The syslog source is the Control plane. So make sure you collect the syslog messages from the Control pane.
The following piece of config show an example of the Control pane syslogging. My syslog server is the the 192.168.1.1, and the listener port is 12346.
syslog {
archive;
user * {
any emergency;
}
host 192.168.1.1 {
any any;
change-log none;
interactive-commands none;
port 12346;
}
file policy_session {
archive;
}
}
Anyway, back to firewall filter. We created the firewall filter, and now we need to populate the blocked prefix-list.
The following shows the (shortened) list. The unblock (exception) list is still empty in my case. The markup is the same.
policy-options {
prefix-list block.zeusCC {
5.135.62.209/32;
12.20.235.200/32;
24.126.145.5/32;
[...]
223.27.17.94/32;
223.27.17.197/32;
}
prefix-list unblock.zeusCC;
}
Finally, we need to apply the filter to the actual interface. In my case I applied the filter to my WAN interface (fe-0/0/0) for both incoming and outgoing traffic.
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
filter {
input blocked.IP;
output blocked.IP;
}
dhcp;
}
}
}
This should work. There are some tweaks you can add, like restricting only certain protocols. This is done in the firewall filter itself. The following example blocks only http (port 80) traffic.
firewall {
family inet {
filter blocked.IP {
term 1 {
from {
prefix-list {
block.zeusCC;
unblock.zeusCC except;
}
protocol tcp;
destination-port 80;
}
then {
syslog;
discard;
}
}
term 2 {
then accept;
}
}
}
}
Now that the foundation is in place, it's quite easy to add additional prefix-lists for different purposes. The easiest way of adding a lot of IP addresses is to use the CLI Editor in the WebGUI of the firewall, just add the IP addresses in CIDR format (don't forget the trailing semicolon).
The following configuration contains the set commands for my configuration. Note that the actual list with IP addresses has been shortened. The version statement is there solely for showing my current Junos version.
set version 12.1R4.7
set system syslog archive
set system syslog user * any emergency
set system syslog host 192.168.1.1 any any
set system syslog host 192.168.1.1 change-log none
set system syslog host 192.168.1.1 interactive-commands none
set system syslog host 192.168.1.1 port 12346
set system syslog file policy_session archive
set interfaces fe-0/0/0 unit 0 family inet filter input blocked.IP
set interfaces fe-0/0/0 unit 0 family inet filter output blocked.IP
set interfaces fe-0/0/0 unit 0 family inet dhcp
set policy-options prefix-list block.zeusCC 5.135.62.209/32
set policy-options prefix-list block.zeusCC 12.20.235.200/32
set policy-options prefix-list block.zeusCC 24.126.145.5/32
[...]
set policy-options prefix-list block.zeusCC 216.244.83.99/32
set policy-options prefix-list block.zeusCC 216.244.83.194/32
set policy-options prefix-list block.zeusCC 216.246.77.218/32
set policy-options prefix-list unblock.zeusCC
set security log mode stream
set security log source-address 192.168.1.254
set security log stream Server format syslog
set security log stream Server host 192.168.1.1
set security log stream Server host port 12345
set firewall family inet filter blocked.IP term 1 from prefix-list block.zeusCC
set firewall family inet filter blocked.IP term 1 from prefix-list unblock.zeusCC except
set firewall family inet filter blocked.IP term 1 then syslog
set firewall family inet filter blocked.IP term 1 then discard
set firewall family inet filter blocked.IP term 2 then accept
Hope this helped a bit.