Typical access-list on edge router

This is typical ACL which you can configure on the Public interface of your router in the Inbound direction.

Share this!

Internet routing table and damping on JunOS

To get an idea about the current number of Internet routes, for both IPv4 and IPv6:

moghaddas@USA> show route summary | match "inet|bgp"  
inet.0: 560133 destinations, 1663174 routes (558798 active, 0 holddown, 1525 hidden)
                 BGP: 1663124 routes, 558752 active
inet6.0: 24047 destinations, 47458 routes (23459 active, 0 holddown, 851 hidden)
                 BGP:  47444 routes,  23447 active

Now, imagine what would be the outcome of route flaps for a Service Provider environment with many eBGP neighbors. Instability and customer dissatisfaction!

The first solution to avoid such situations is BGP Route Dampening/Damping. Continue reading “Internet routing table and damping on JunOS”

Share this!

Renaming security policies on JunOS

Be careful while renaming a security policy on JunOS, since it will close the current session.

Unfortunately, what JunOS does, is removing the old-named policy and adds a new one.

I tried also with adding a new policy, inserting it before the old one, commit, then removing the old one and commit. But again interruption, which logically makes sense.

Test environment: JunOS 12.1X44-D35.5 on a SRX240h

I tried on vsrx firefly-perimeter with JunOS 12.1X47-D20.7 and faced no drop!

Share this!

HowTo : Hardening GRUB

What is GRUB? Let’s ask Wikipedia:

GNU GRUB (short for GNU GRand Unified Bootloader) is a boot loader package from the GNU Project.

GRUB is the easiest way to hack into Linux systems!

  • First option to break into a Linux system is to edit the line ro quite splash as rw init=/bin/bash during system startup (usually triggered by pressing “e” on the list).
  • Second option would be using the Recovery Mode.

So the solution is to disable the Password Recovery option and set a password for GRUB.

Disabling Recovery in GRUB

Setting a Password for GRUB

Creating a rescue copy of the file:

Creating a GRUB Password:

Copy the output starting with grub.pbkdf2. and save it in a file:

Add the following to the end of 00_header file:

cat << EOF set superusers=password pbkdf2 PASSWORD grub.pbkdf2.sha512.10000.D01A1ABD624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD1BDA1C0E1274EA0F53DC466100653C2BB164937D6D9932D90BC18F2F03C1E765389A8.F0C2399E571D1BFA6DD9107F031DEBF9BB1C0C15531CBCEA95C31D9CDA2FEBBCBF4BEE14AFA17CED8B2BA7800DC451BA7A0B222265B2CB69D590A2B11C0CE12B EOF
root@debian:~# update-grub
Share this!

How-To: Destination NAT in JunOS

You are asked to publish a local website on an external network such as Internet, and you have to do it in a secure manner using the SRX firewall at your office.

The procedure is pretty straight forward.

  1. Local host’s zone (Local IP) : show route and show interface
  2. Find out to which External (Global) IP address you should apply the D-NAT
  3. External access zone (Global IP) : show route and show interface
  4. OPTIONAL: Create “security address-book global” entries for source/destination addresses
  5. If you are Port-Forwarding: Create an “application
  6. Define a “security policy from EXTERNAL zone to LOCAL zone, matching the source (external hosts), destination (local hosts) and application (local hosts’ protocol/port) parameters and then set the action as permit
  7. Create a “NAT Destination Pool” for the Local IP and if Port Forwarding add the service’s port
  8. Define a “security nat destination rule-set rule” matching the source (external hosts), destination (local hosts) and destination-port (local hosts’ port) parameters and then set the “destination-nat pool” to the pool created in last step

Below you will find a sample snippet of the configuration:

Share this!