Posts Tagged ‘bogan’

Here are two handy firewall filters to apply to any internet facing interface on your JUNOS network device.

BOGON List
- Apply as input on Internet facing interface
- You should also add any Public Address space that you have inside your network

[plain]
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 10.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 127.0.0.0/8
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 169.254.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 172.16.0.0/12
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.0.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.0.2.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 192.168.0.0/16
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.18.0.0/15
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 198.51.100.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 203.0.113.0/24
set firewall family inet filter BOGON-DENY term discard-bogon-net from source-address 224.0.0.0/3
set firewall family inet filter BOGON-DENY term discard-bogon-net then count BOGONS
set firewall family inet filter BOGON-DENY term discard-bogon-net then discard
set firewall family inet filter BOGON-DENY term allow-everything-else then accept
[/plain]

Private Address Reject
- Apply as output on Internet facing interface

[plain]
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 10.0.0.0/8
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 172.16.0.0/12
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 from destination-address 192.168.0.0/16
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then count RFC-1918
set firewall family inet filter PRIVATE-REJECT term reject-rfc-1918 then reject
set firewall family inet filter PRIVATE-REJECT term allow-everything-else then accept
[/plain]