Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
lv212014-07-18 06:46:23
VPN
lv21, 2014-07-18 06:46:23

Juniper SRX: I filter traffic by the filter on the interface. By what miracle the traffic does not pass from the white sheet?

Hello,
I'm not sure what I'm doing right. Please prompt.
JUNOS 12.1X46-D10.2 SRX-210
Created a whitelist including New Zealand networks.
List of networks taken from here https://www.countryipblocks.net/country_selection.php.
Here is a whitelist:
show configuration policy-options prefix-list NZ
5.10.84.200/29;
14.1.32.0/19;
14.1.64.0/19;
14.128.4.0/22;
etc.
Here is the filter
> show configuration firewall family inet filter INET-filter
term allow_NNOV_http {
from {
source-prefix-list {
NNOV;
}
protocol tcp;
destination port http;
}
then accept;
}
term reject_unknown_http {
from {
source-address {
0.0.0.0/0;
}
destination port http;
}
then {
discard;
}
}
term allow_NZ_vpn {
from {
source-prefix-list {
NZ;
}
destination-port [ 443 1723 53 ];
}
then accept;
}
term reject_UNKNOWN_vpn {
from {
source-address {
0.0.0.0/0;
}
destination port [ 443 1723 53 ];
}
then {
discard;
}
}
term allow {
then accept;
}
Here is the filter attached to the external interface:
> show configuration interfaces at-1/0/0 unit 0 family inet
filter {
input INET-filter;
}
negotiate-address;
dhcp {
update-server;
}
And it even seems to filter: he asked a friend from Australia to check - nothing is available for him.
But by some miracle, I receive notifications from the syslog server:
Date / Time: Jul 18 15:02:01
KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=xxx.xxx.xxx.xxx, dst_ip=119.77.157.15]
IP Address: 192.168.232.1
Date/Time: Jul 18 08:12: 27
KMD_VPN_PV_PHASE1: IKE Phase-1 Failure: No proposal chosen [spi=(null), src_ip=xxx.xxx.xxx.xxx, dst_ip=106.51.57.5]
Date/Time: Jul 17 14:17:28
IKE Phase-1 : (Responder) Policy lookup failed [local_ip=xxx.xxx.xxx.xxx remote_ip=80.203.66.238
What usually happens when someone visits port 443 and gets to the DynamicVPN page.
Checked these addresses - Norway, India, Taiwan.
I checked them in my white list - they are not present (or rather, I checked the range of networks where they could be included).
I'm scratching my head how and why they pass. Could you share ideas please?
Thanks in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
L
lazix2017-04-19 12:37:34
How to access Synology by hostname via VPN? 1Reply
F
fatalick2017-04-22 16:51:26
Which VPN server to choose? 0Reply
V
Vasya Bulka2017-04-24 04:36:34
I wonder how you can make a link through vpn, proxy or anonymizer? 2Reply
W
waitmar2021-04-05 19:13:33
How to specify your VPN in Chrome? 4Reply
H
Habra__User2017-04-27 12:41:35
How does hideme figure out that I have already received a code for one day? As I understand it, changing Ip and cleaning cookies does not help? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question