kishkool75
asked on
Juniper blacklist not working
Hi,
I'm trying for testing to blacklist ip 64.20.227.133 wich is public ip of the well known : http://mxtoolbox.com
I create an adress "blacklist" : 64.20.227.133/32 then i create a rule :
From Global to Global (to be sure) deny "blacklsite" on any services to any adress.
Problem, when i do a port scan to my public ip it's still seeing what is open...
So i suppose that nothing is dropped..
Can you help me please.
Thanks.
I'm trying for testing to blacklist ip 64.20.227.133 wich is public ip of the well known : http://mxtoolbox.com
I create an adress "blacklist" : 64.20.227.133/32 then i create a rule :
From Global to Global (to be sure) deny "blacklsite" on any services to any adress.
Problem, when i do a port scan to my public ip it's still seeing what is open...
So i suppose that nothing is dropped..
Can you help me please.
Thanks.
ASKER
This is a SSG140 netscreen OS.
Well here a small schema :
MXTOOLBOX (64.20.227.133) ---->PORT SCAN (25)----> JUNIPER SSG140 ---->Mail server
Result is that mxtoolbox see that port 25 is open and i get a log who says :
[Root]system-alert-00016: Port scan! From 64.20.227.133:65194 to XXXXXXX, proto TCP (zone Untrust, int ethernet0/0). Occurred 1 times.
Even with the rule of my previous post, it still see what port is open on the firewall.
Well here a small schema :
MXTOOLBOX (64.20.227.133) ---->PORT SCAN (25)----> JUNIPER SSG140 ---->Mail server
Result is that mxtoolbox see that port 25 is open and i get a log who says :
[Root]system-alert-00016: Port scan! From 64.20.227.133:65194 to XXXXXXX, proto TCP (zone Untrust, int ethernet0/0). Occurred 1 times.
Even with the rule of my previous post, it still see what port is open on the firewall.
Ok
1-you can perform global rules on netscreen devices....
2nd MXTOOLBOX is NOT a bad site
it actually checks legitimate sites to help in blacklisting--and other things
3rd - if that port is open - as it legitimately should ... then it will be seen available by any scan
4th that IP is not generating traffic into your org - it is just checking to 'see' if the port is available
5th your rule states what exactly - do not permit zzz?ALL traffic from src xxx to dest yyy - correct
- is that rule even being hit
1-you can perform global rules on netscreen devices....
2nd MXTOOLBOX is NOT a bad site
it actually checks legitimate sites to help in blacklisting--and other things
3rd - if that port is open - as it legitimately should ... then it will be seen available by any scan
4th that IP is not generating traffic into your org - it is just checking to 'see' if the port is available
5th your rule states what exactly - do not permit zzz?ALL traffic from src xxx to dest yyy - correct
- is that rule even being hit
ASKER
Hi,
Yes i know it's a good site but it was just about testing purpose.
Maybe i'm wrong but if i says :
anything from this is ip must be drop by the FW then it should not be able to get any port scan result...
Same thing with smtp diag on mxtoolbox.
it's still working, it can test my smtp server and do some check but with a rule who say block anything from mxtoolbox IP then i would just receive an error from mxtoolbox.com interface... no?
How can i see if that rule is being hit?
To see current rule look attach picture. (zone : Untrust to Global)
Another thing, if i have a rule who stat : ALL IS PERMIT FROM ANY IP then if i do a rule who says PACKET DENY FROM XXX IP which IP is taking the order?
Thanks
blacklist.JPG
Yes i know it's a good site but it was just about testing purpose.
Maybe i'm wrong but if i says :
anything from this is ip must be drop by the FW then it should not be able to get any port scan result...
Same thing with smtp diag on mxtoolbox.
it's still working, it can test my smtp server and do some check but with a rule who say block anything from mxtoolbox IP then i would just receive an error from mxtoolbox.com interface... no?
How can i see if that rule is being hit?
To see current rule look attach picture. (zone : Untrust to Global)
Another thing, if i have a rule who stat : ALL IS PERMIT FROM ANY IP then if i do a rule who says PACKET DENY FROM XXX IP which IP is taking the order?
Thanks
blacklist.JPG
FW rules get processed in order
so the first it hits in this case
a port scan and fw rule are not necessarily related
fw rule says do not allow traffic from ?anywhere to reach my desktop
a port scan asks if x port is open on the firewall for traffic
so a port scan might get the answer without the traffic being allowed to traverse the firewall - head out the indicated interface and reach a final destination
you can monitor rules usage via - monitoring live or after the fact reports
of even looking at the rule to see if it has an indication it was hit
some of this might be more readily visible from a cmd line then a GUI
search how to monitor a firewall wall rule usage in net screen - there's alot out there
so the first it hits in this case
a port scan and fw rule are not necessarily related
fw rule says do not allow traffic from ?anywhere to reach my desktop
a port scan asks if x port is open on the firewall for traffic
so a port scan might get the answer without the traffic being allowed to traverse the firewall - head out the indicated interface and reach a final destination
you can monitor rules usage via - monitoring live or after the fact reports
of even looking at the rule to see if it has an indication it was hit
some of this might be more readily visible from a cmd line then a GUI
search how to monitor a firewall wall rule usage in net screen - there's alot out there
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Netscreen
SRX
is traffic originating from that IP into your device?
in order for you to be monitoring it....