Tuesday, October 8, 2013

Block/Discard Traffic IP Addresses on Juniper in JunOS Firewall Using Prefixes Filters and SpamHaus

In dealing with a lot of nefarious traffic on the internet lately, I needed a quick and easy solution for dropping this traffic at my edge. Most of the documentation out there is horribly dry with few examples.

The following example worked great in our MX240's and older M7i's. This will also work in SRX's but I have no way to affirm this.

1) Create the Prefix-Lists inside 'policy-options'
edit policy-options prefix-list block-Manual
set a.b.c.d/CIDR
up
annotate prefix-list block-Manual "Manual Block List"

edit policy-options prefix-list block-spamhaus-edrop
set a.b.c.d/CIDR
[...]
set w.x.y.z/CIDR
up
annotate prefix-list block-spamhaus-edrop "http://www.spamhaus.org/drop/edrop.txt"
You'll need to add the nets you want to block to each prefix list (I've created separate lists on purpose) but this should roughly give you:
[edit policy-options]
/* Manual Block List */
prefix-list block-Manual {
    set a.b.c.d/CIDR;
}
/* http://www.spamhaus.org/drop/edrop.txt */
prefix-list block-spamhaus-edrop {
    a.b.c.d/CIDR;
    w.x.y.z/CIDR;
}
I'm also using the drop list from SpamHaus but at 500+ lines felt it was of no use in this article, however simply create another prefix list, annotate it according and fill it with the contents of http://www.spamhaus.org/drop/drop.txt

2) Create a filter in the firewall
set firewall family inet filter blocked-IP term 1 from prefix-list block-Manual
set firewall family inet filter blocked-IP term 1 then discard
set firewall family inet filter blocked-IP term 2 from prefix-list block-spamhaus-edrop
set firewall family inet filter blocked-IP term 2 then discard
set firewall family inet filter blocked-IP term 99 then accept
...and this gives you:
filter blocked-IP {
    term 1 {
        from {
            prefix-list {
                block-Manual;
            }
        }
        then {
            discard;
        }
    }
    term 2 {
        from {
            prefix-list {
                block-spamhaus-edrop;
            }
        }
        then {
            discard;
        }
    }
    term 99 {
        then accept;
    }
}
3) Apply to an interface
       family inet {
            filter {
                input blocked-IP;
                output blocked-IP;
            }
       }
...and thats all there is to it. Just keep adding new prefix lists (if you want to keep them logically separate) and then add them as terms to the filter ensuring term 99 (accepting traffic) is always last.