Handy Internet Interface JUNOS Firewall Filters

Here are two handy firewall filters to apply to any internet facing interface on your JUNOS network device.

BOGON List
- Apply as input on Internet facing interface
- You should also add any Public Address space that you have inside your network

[plain]
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 10.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 127.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 169.254.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 172.16.0.0/12
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.0.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.2.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.168.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.18.0.0/15
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.51.100.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 203.0.113.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 224.0.0.0/3
set firewall family inet filter BOGON-DENY term discard-bogon-net then count BOGONS
set firewall family inet filter BOGON-DENY term discard-bogon-net then discard
set firewall family inet filter BOGON-DENY term allow-everything-else then accept
[/plain]

Private Address Reject
- Apply as output on Internet facing interface

[plain]
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 10.0.0.0/8
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 172.16.0.0/12
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 192.168.0.0/16
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then count RFC-1918
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then reject
set firewall family inet filter PRIVATE-REJECT term allow-everything-else then accept
[/plain]

Related Posts

CLI Templates for Python + Rust

Do you also write a lot of services that need a few CLI option (e.g. –config) and or little CLI tools from time to time? Want a…

Stop IPv4 Point-To-Point Addressing your Networks

IPv4 addressing on links is no longer required to route IPv4. What you say?? Yes, you can stop IPv4 addressing your point to point links with Legacy…

NAT64: Using `jool` on Ubuntu 20.04

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took…

Raspberry Pi Powered Fireplace

Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I’m heading back to…

nftables

Are you using the latest Linux kernel firewall?. Here are some notes I’ve saved that I use and forget all the time. I plan to add to…

RPM vs OPKG Cheat Sheet

Recently in the Terragraph project I work on we changed from RPM to OPKG to removes some dependencies (e.g. perl) and make our overall image size smaller….

This Post Has 8 Comments

  1. Greetings I discovered your webpage by mistake when i was searching Msn for this subject, I must say your site is quite helpful I also love the layout, it is great!

Leave a Reply

Your email address will not be published.