Firewall
Filters (ACL in Cisco)
The Junos
OS firewall filters are stateless in nature and primarily used to control
traffic passing (transit) through the device. Stateless firewall filters
examine each packet individually and has no concept of connections (stateful).
Since stateless firewall filters doesn't keep stateful connection info, you
must explicitly allow traffic in both directions for each connection to be
permitted. By contrast, stateful firewall filters only require to permit the
initial connection and it will automatically permit bidirectional traffic.
Building
Blocks of Firewall Filters
Routing
policies and firewall filters have the same common structure but serve
different purposes and have different match (from) and action (then)
conditions.
As with
routing policy, the fundamental building block of a firewall filter is a term. A firewall filter require at least one term. A term
contains zero or more match conditions and one or more actions. If all the
match conditions are true, the Junos OS takes the specified action within the term. If no match conditions are specified,
all traffic matches the firewall filter term
and is subjected to the stated action.
A
firewall filter always include a default term that discards all packets and
does not explicitly permit through the defined terms (implicit deny in Cisco
ACL). The order of the terms is very
important and can impact the results.
The
processing of fragments is more complicated with stateless firewall filter vs
stateful firewall filter. The first fragment should have all the Layer 4
headers (TCP/UDP) but subsequent fragments will not. Attempting to check Layer
4 headers in fragments can produce unpredictable results. The Junos OS can
still evaluate Layer 4 headers but the second and subsequent fragments do not
contain these header info, so matches are unpredictable.
Categories
of Match Conditions
Match
conditions fall into 3 categories:
- Numeric
range
- Address
- Bit-field match
A text
synonym match conditions is equivalent to one or more match conditions. For
example, the tcp-established match
condition is a text synonym (alias) for the
tcp-flag ack or the tcp-flag rst
match conditions.
Common
Actions
Common
firewall filter actions include terminating actions, flow control and action
modifiers. Note that when you apply a firewall filter and it does not
explicitly allow traffic through one of the define terms, it discards traffic by default (silently drop
packet without sending an ICMP unreachable message).
Terminating
Actions:
Flow
Control:
Action
Modifiers:
- count, log and syslog
- forwarding-class and
loss-priority
- policer
Defining a Firewall Filter
Implementing
a firewall filter has two steps:
- Define the
firewall filter under the edit firewall hierarchy level. Because the
Junos OS supports multiple protocol families, you should define under the
appropriate family hierarchy level, i.e. edit firewall family inet for IPv4
- Apply the firewall filter to
the interfaces or lo0 logical interface if destined for the system
The Junos
OS does not create automatic "holes" in the lo0 firewall filter,
therefore in addition to allowing management traffic, you should also allow the
routing protocol and other control traffic to reach the Routing Engine (RE).
The implicit silent discard, which
discards traffic not explicitly allowed in a term
can cause an undesirable effect.
jadmin@JR-1>
configure
Entering
configuration mode
Users
currently editing the configuration:
jadmin terminal v0 (pid 1480) on since
2020-10-21 12:35:46 SGT, idle 06:10:55
[edit]
jadmin terminal p0 (pid 5402) on since
2020-10-21 12:54:35 SGT, idle 05:27:06
[edit protocols ospf]
The
configuration has been changed but not committed
[edit]
jadmin@JR-1#
edit firewall ?
Possible
completions:
<[Enter]> Execute this command
>
family Protocol family
>
filter Define an IPv4
firewall filter
>
hierarchical-policer Hierarchical
policer template definition
>
interface-set Interface set
definition
>
policer Policer template
definition
>
three-color-policer Three-color policer
| Pipe through a command
[edit]
jadmin@JR-1#
edit firewall family ?
Possible
completions:
>
any Protocol-independent
filter
>
ccc Protocol family CCC
for firewall filter
>
inet Protocol family IPv4
for firewall filter
>
inet6 Protocol family IPv6
for firewall filter
>
mpls Protocol family MPLS
for firewall filter
>
vpls Protocol family VPLS
for firewall filter
[edit]
jadmin@JR-1#
edit firewall family inet
[edit
firewall family inet]
jadmin@JR-1#
set filter ?
Possible
completions:
<filter-name> Filter name
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in ?
Possible
completions:
+
accounting-profile Accounting profile
name
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
interface-specific Defined counters are interface specific
>
term Define a firewall
term
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term ?
Possible
completions:
<rule-name> Term name
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term block-source ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
filter Filter to include
>
from Define match
criteria
>
then Action to take if
the 'from' condition is matched
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term block-source from ?
Possible
completions:
>
address Match IP source or
destination address
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
destination-address Match IP destination
address
+
destination-port Match TCP/UDP
destination port
+
destination-port-except Do not match
TCP/UDP destination port
>
destination-prefix-list Match IP
destination prefixes in named list
+
dscp Match Differentiated
Services (DiffServ) code point
+
dscp-except Do not match
Differentiated Services (DiffServ) code poin
t
+
esp-spi Match IPSec ESP SPI
value
+
esp-spi-except Do not match IPSec
ESP SPI value
first-fragment Match if packet is the first fragment
+
forwarding-class Match forwarding
class
+
forwarding-class-except Do not match
forwarding class
fragment-flags Match fragment flags (in symbolic or hex
formats) - (Ingr
ess only)
+
fragment-offset Match fragment
offset
+
fragment-offset-except Do not match
fragment offset
+
icmp-code Match ICMP message
code
+
icmp-code-except Do not match ICMP
message code
+
icmp-type Match ICMP message
type
+
icmp-type-except Do not match ICMP
message type
>
interface Match interface name
+
interface-group Match interface
group
+
interface-group-except Do not match
interface group
>
interface-set Match interface in
set
+
ip-options Match IP options
+
ip-options-except Do not match IP
options
is-fragment Match if packet is a fragment
+
packet-length Match packet length
+
packet-length-except Do not match packet
length
+
port Match TCP/UDP source
or destination port
+
port-except Do not match TCP/UDP
source or destination port
+
precedence Match IP precedence
value
+
precedence-except Do not match IP
precedence value
>
prefix-list Match IP source or
destination prefixes in named list
+
protocol Match IP protocol
type
+
protocol-except Do not match IP
protocol type
service-filter-hit Match if service-filter-hit is set
>
source-address Match IP source
address
+
source-port Match TCP/UDP source
port
+
source-port-except Do not match TCP/UDP
source port
>
source-prefix-list Match IP source
prefixes in named list
tcp-established Match packet of an established TCP
connection
tcp-flags Match TCP flags (in symbolic or hex
formats)
tcp-initial Match initial packet of a TCP
connection
+
ttl Match IP ttl type
+
ttl-except Do not match IP ttl
type
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term block-source from source-address ?
Possible
completions:
<address> Prefix to match
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term block-source from source-address 10.10.10.0/24
jadmin@JR-1#
set filter block-in term block-source then ?
Possible
completions:
accept Accept the packet
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
count Count the packet in the named
counter
>
discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security
association
log Log the packet
>
logical-system Packets are directed
to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a
filter
policer Name of policer to use to
rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named
prefix action
>
reject Reject the packet
>
routing-instance Packets are directed
to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current
type of chai
ned
filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information
about the packet
>
three-color-policer Police the packet
using a three-color-policer
topology Packets are directed to specified
topology
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term block-source then count ?
Possible
completions:
<count> Count the packet in the named
counter
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term block-source then count spoof-ip ?
Possible
completions:
<[Enter]> Execute this command
accept Accept the packet
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security
association
log Log the packet
>
logical-system Packets are directed
to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a
filter
policer Name of policer to use to
rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named
prefix action
>
reject Reject the packet
>
routing-instance Packets are directed
to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current
type of chai
ned
filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information
about the packet
>
three-color-policer Police the packet
using a three-color-policer
topology Packets are directed to specified
topology
| Pipe through a command
[edit
firewall family inet]
jadmin@JR-1#
set filter block-in term block-source then count spoof-ip discard
jadmin@JR-1#
set filter block-in term allow-other then accept
[edit
firewall family inet]
jadmin@JR-1#
show
filter
block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
[edit
firewall family inet]
[edit
firewall family inet]
jadmin@JR-1#
top edit interfaces em0
[edit
interfaces em0]
jadmin@JR-1#
set unit 0 family inet ?
Possible
completions:
<[Enter]> Execute this command
>
accounting Configure
interface-based accounting options
>
address Interface
address/destination prefix
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
filter Packet filtering
mac-validate Validate source MAC address
mtu Protocol family maximum
transmission unit
no-neighbor-learn Disable neighbor address learning on
interface
no-redirects Do not redirect traffic
>
policer Interface policing
primary Candidate for primary interface
in system
>
rpf-check Enable
reverse-path-forwarding checks on this interface
>
sampling Interface sampling
>
service Service operations
>
unnumbered-address Unnumbered interface
address/destination prefix
| Pipe through a command
[edit
interfaces em0]
jadmin@JR-1#
set unit 0 family inet filter ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
group Group to which interface
belongs (1..255)
>
input Filter to be applied
to received packets
+
input-list List of filter
modules applied to received packets
>
output Filter to be applied
to transmitted packets
+
output-list List of filter
modules applied to transmitted packets
[edit
interfaces em0]
jadmin@JR-1#
set unit 0 family inet filter input ?
Possible
completions:
block-in [firewall family inet filter]
[edit
interfaces em0]
jadmin@JR-1#
set unit 0 family inet filter input block-in
[edit
interfaces em0]
jadmin@JR-1#
set unit 0 family inet filter output ?
Possible
completions:
block-in [firewall family inet filter]
[edit
interfaces em0]
jadmin@JR-1#
set unit 0 family inet filter output block-out
[edit
interfaces em0]
jadmin@JR-1#
show
unit 0 {
family inet {
filter {
input block-in;
output block-out; ## reference
'block-out' not found
}
address 10.1.1.1/24;
}
}
[edit
interfaces em0]
jadmin@JR-1#
commit ?
Possible
completions:
<[Enter]> Execute this command
and-quit Quit configuration mode if commit
succeeds
at Time at which to activate
configuration changes
check Check correctness of syntax; do
not apply changes
comment Message to write to commit log
confirmed Automatically rollback if not
confirmed
| Pipe through a command
[edit
interfaces em0]
jadmin@JR-1#
commit confirmed // TO AVOID BEING
LOCKED OUT USE commit confirmed
The
firewall filter example allows HTTP/web traffic to the destination host IP
192.168.1.100/32 and discard other web traffic.
[edit
interfaces em0]
jadmin@JR-1#
top edit firewall family inet
[edit
firewall family inet]
jadmin@JR-1#
set filter web-in term allow-http from destination-address ?
Possible
completions:
<address> Prefix to match
[edit
firewall family inet]
jadmin@JR-1#
set filter web-in term allow-http from destination-address 192.168.1.100/32
jadmin@JR-1#
set filter web-in term allow-http from protocol ?
Possible
completions:
<range> Range of values
[ Open a set of values
ah IP Security authentication
header
dstopts IPv6 destination options
egp Exterior gateway protocol
esp IPSec Encapsulating Security
Payload
fragment IPv6 fragment header
gre Generic routing encapsulation
hop-by-hop IPv6 hop-by-hop options
icmp Internet Control Message
Protocol
icmp6 Internet Control Message
Protocol Version 6
igmp Internet Group Management
Protocol
ipip IP in IP
ipv6 IPv6 in IP
no-next-header IPv6 no next header
ospf Open Shortest Path First
pim Protocol Independent
Multicast
routing IPv6 routing header
rsvp Resource Reservation Protocol
sctp Stream Control Transmission
Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
vrrp Virtual Router Redundancy
Protocol
[edit
firewall family inet]
jadmin@JR-1#
set filter web-in term allow-http from protocol tcp ?
Possible
completions:
<[Enter]> Execute this command
>
address Match IP source or
destination address
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
destination-address Match IP destination
address
+
destination-port Match TCP/UDP
destination port
+
destination-port-except Do not match
TCP/UDP destination port
>
destination-prefix-list Match IP
destination prefixes in named list
+
dscp Match Differentiated
Services (DiffServ) code point
+
dscp-except Do not match
Differentiated Services (DiffServ) code poin
t
+
esp-spi Match IPSec ESP SPI
value
+
esp-spi-except Do not match IPSec
ESP SPI value
first-fragment Match if packet is the first fragment
+
forwarding-class Match forwarding
class
+
forwarding-class-except Do not match
forwarding class
fragment-flags Match fragment flags (in symbolic or hex
formats) - (Ingr
ess only)
+
fragment-offset Match fragment
offset
+
fragment-offset-except Do not match
fragment offset
+
icmp-code Match ICMP message
code
+
icmp-code-except Do not match ICMP
message code
+
icmp-type Match ICMP message
type
+
icmp-type-except Do not match ICMP
message type
>
interface Match interface name
+
interface-group Match interface
group
+
interface-group-except Do not match
interface group
>
interface-set Match interface in
set
+
ip-options Match IP options
+
ip-options-except Do not match IP
options
is-fragment Match if packet is a fragment
+
packet-length Match packet length
+
packet-length-except Do not match packet
length
+
port Match TCP/UDP source
or destination port
+
port-except Do not match TCP/UDP
source or destination port
+
precedence Match IP precedence
value
+
precedence-except Do not match IP
precedence value
>
prefix-list Match IP source or
destination prefixes in named list
+
protocol Match IP protocol
type
+
protocol-except Do not match IP
protocol type
service-filter-hit Match if service-filter-hit is set
>
source-address Match IP source
address
+
source-port Match TCP/UDP source
port
+
source-port-except Do not match TCP/UDP
source port
>
source-prefix-list Match IP source
prefixes in named list
tcp-established Match packet of an established TCP
connection
tcp-flags Match TCP flags (in symbolic or hex
formats)
tcp-initial Match initial packet of a TCP
connection
+
ttl Match IP ttl type
+
ttl-except Do not match IP ttl
type
| Pipe through a command
[edit
firewall family inet]
jadmin@JR-1#
set filter web-in term allow-http from protocol tcp port ?
Possible
completions:
<range> Range of values
[ Open a set of values
afs AFS
bgp Border Gateway Protocol
biff Biff/Comsat
bootpc Bootstrap protocol client
bootps Bootstrap protocol server
cmd UNIX rsh
cvspserver CVS pserver
dhcp Dynamic Host Configuration
Protocol
domain Domain Name System (DNS)
eklogin Encrypted Kerberos rlogin
ekshell Encrypted Kerberos rsh
exec UNIX rexec
finger Finger
ftp FTP
ftp-data FTP data
http Hypertext Transfer Protocol
https Secure HTTP
ident Ident
imap Internet Message Access
Protocol
kerberos-sec Kerberos Security
klogin Kerberos rlogin
kpasswd Kerberos passwd
krb-prop Kerberos database propagation
krbupdate Kerberos database update
kshell Kerberos rsh
ldap Lightweight Directory Access
Protocol
ldp Label Distribution Protocol
login UNIX rlogin
mobileip-agent Mobile IP agent
mobilip-mn Mobile IP MN
msdp Multicast Source Discovery
Protocol
netbios-dgm NetBIOS DGM
netbios-ns NetBIOS name service
netbios-ssn NetBIOS session service
nfsd Network File System
nntp Network News Transport
Protocol
ntalk New Talk
ntp Network Time Protocol
pop3 Post Office Protocol 3
pptp Point-to-Point Tunneling
Protocol
printer Printer
radacct RADIUS accounting
radius RADIUS authentication
rip Routing Information Protocol
rkinit Kerberos remote kinit
smtp Simple Mail Transfer Protocol
snmp Simple Network Management
Protocol
snmptrap SNMP traps
snpp Simple paging protocol
socks Socks
ssh Secure shell
sunrpc Sun Microsystems remote
procedure call
syslog System log
tacacs TACACS or TACACS+
tacacs-ds TACACS-DS
talk UNIX Talk
telnet Telnet
tftp Trivial FTP
timed UNIX time daemon
who UNIX rwho
xdmcp X Display Manager Control
Protocol
zephyr-clt Zephyr serv-hm connection
zephyr-hm Zephyr hostmanager
zephyr-srv Zephyr server
[edit
firewall family inet]
jadmin@JR-1#
set filter web-in term allow-http from protocol tcp port http
jadmin@JR-1#
set filter web-in term block-other-http from protocol tcp port http
jadmin@JR-1#
set filter web-in term block-other-http then discard
jadmin@JR-1#
show
filter
block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
filter web-in {
term
allow-http {
from {
destination-address {
192.168.1.100/32;
}
protocol tcp;
port http;
}
}
term
block-other-http {
from {
protocol tcp;
port http;
}
then {
discard;
}
}
}
[edit
firewall family inet]
The
firewall filter example limits SSH traffic to the Routing Engine (RE).
[edit
firewall family inet]
jadmin@JR-1#
set filter limit-ssh-re term allow-ssh from source-prefix-list ?
Possible
completions:
<name> Prefix list to match
[edit
firewall family inet]
jadmin@JR-1#
set filter limit-ssh-re term allow-ssh from source-prefix-list trust-ssh-list
jadmin@JR-1#
set filter limit-ssh-re term allow-ssh from protocol tcp
jadmin@JR-1#
set filter limit-ssh-re term allow-ssh from destination-port ssh
jadmin@JR-1#
set filter limit-ssh-re term block-ssh from protocol tcp
jadmin@JR-1#
set filter limit-ssh-re term block-ssh from destination-port ssh
jadmin@JR-1#
set filter limit-ssh-re term block-ssh then discard
jadmin@JR-1#
set filter limit-ssh-re term else-allow then accept
jadmin@JR-1#
show
filter
block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
filter
web-in {
term allow-http {
from {
destination-address {
192.168.1.100/32;
}
protocol tcp;
port http;
}
}
term block-other-http {
from {
protocol tcp;
port http;
}
then {
discard;
}
}
}
filter limit-ssh-re {
term
allow-ssh {
from {
source-prefix-list {
trust-ssh-list; ## 'trust-ssh-list' is not defined
}
protocol tcp;
destination-port ssh;
}
}
term
block-ssh {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term else-allow { // ALLOW OTHER TRAFFIC: ROUTING PROTOCOL
AND MANAGEMENT TRAFFIC TO RE (SNMP, NTP, ETC)
then
accept;
}
}
[edit
firewall family inet]
[edit
firewall family inet]
jadmin@JR-1#
top edit interfaces lo0
jadmin@JR-1#
set unit 0 family inet filter input ?
Possible
completions:
block-in [firewall family inet filter]
limit-ssh-re [firewall family inet filter]
web-in [firewall family inet filter]
[edit
interfaces lo0]
jadmin@JR-1#
set unit 0 family inet filter input limit-ssh-re
[edit
interfaces lo0]
jadmin@JR-1#
show
unit 0 {
family inet {
filter {
input limit-ssh-re;
}
}
}
Policing
Firewall
filters can also police or rate-limit traffic passing into or out of an
interface. The Junos OS policing employs the token-bucket algorithm, which
enforces a limit on average bandwidth while allowing bursts up to a specified
maximum value. You can configure two rate limits for the traffic: bandwidth,
which is the number of bits per second permitted on average, and maximum burst
size, which defines the total number of bytes the system allows in bursts of
data that exceed the given bandwidth limit.
The
preferred method for determining the maximum burst size is to multiply the
speed of interface by the amount of time bursts that you want to allow at that
bandwidth level:
Burst
size = bandwidth (100,000,000 bits per second) x allowable burst time (5/1000s,
5ms) = 500,000 bits
= 500,000 bits / 8 (to
convert into bytes) = 62500 bytes
You
specify the bandwidth as a number of bits using the bandwidth-limit statement. You specify the maximum burst size as a
number of bytes using the burst-size-limit
statement.
You can
use the k (kbs), m (mbps) and g (gbps) to
indicate one thousand, one million and one billion bytes or bits, respectively.
[edit
interfaces lo0]
jadmin@JR-1#
top edit firewall
[edit
firewall]
jadmin@JR-1#
set policer ?
Possible
completions:
<policer-name> Policer name
[edit
firewall]
jadmin@JR-1#
set policer police-10m ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
filter-specific Policer is filter-specific
>
if-exceeding Define rate limits
logical-bandwidth-policer Policer uses logical interface bandwidth
logical-interface-policer Policer is logical interface policer
>
then Action to take if
the rate limits are exceeded
[edit
firewall]
jadmin@JR-1#
set policer police-10m if-exceeding ?
Possible
completions:
<[Enter]> Execute this command
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
bandwidth-limit Bandwidth limit (32000..50000000000 bits
per second)
bandwidth-percent Bandwidth limit in percentage (1..100
percent)
burst-size-limit Burst size limit (1500..100000000000
bytes)
| Pipe through a command
[edit
firewall]
jadmin@JR-1#
set policer police-10m if-exceeding bandwidth-limit ?
Possible
completions:
<bandwidth-limit> Bandwidth limit (32000..50000000000 bits
per second)
[edit
firewall]
jadmin@JR-1#
set policer police-10m if-exceeding bandwidth-limit 10m
jadmin@JR-1#
set policer police-10m if-exceeding burst-size-limit ?
Possible
completions:
<burst-size-limit> Burst size limit (1500..100000000000 bytes)
[edit
firewall]
jadmin@JR-1#
set policer police-10m if-exceeding burst-size-limit 62500
jadmin@JR-1#
set policer police-10m then ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
discard Discard the packet
forwarding-class Classify packet to forwarding class
loss-priority Packet's loss priority
[edit
firewall]
jadmin@JR-1#
set policer police-10m then forwarding-class ?
Possible
completions:
<forwarding-class> Classify packet to forwarding class
assured-forwarding
best-effort
expedited-forwarding
network-control
[edit
firewall]
jadmin@JR-1#
set policer police-10m then forwarding-class best-effort
jadmin@JR-1#
set family inet?
Possible
completions:
>
inet Protocol family IPv4
for firewall filter
>
inet6 Protocol family IPv6
for firewall filter
[edit
firewall]
jadmin@JR-1#
set family inet ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
filter Define an IPv4
firewall filter
>
prefix-action Define a prefix
action
>
service-filter One or more IPv4
service filters
[edit
firewall]
jadmin@JR-1#
set family inet filter ?
Possible
completions:
<filter-name> Filter name
block-in Filter name
limit-ssh-re Filter name
web-in Filter name
[edit
firewall]
jadmin@JR-1#
set family inet filter police-filter ?
Possible
completions:
+
accounting-profile Accounting profile
name
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
interface-specific Defined counters are interface specific
>
term Define a firewall
term
[edit
firewall]
jadmin@JR-1#
set family inet filter police-filter term police-tcp from protocol tcp
jadmin@JR-1#
set family inet filter police-filter term police-tcp then ?
Possible
completions:
accept Accept the packet
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
count Count the packet in the named
counter
>
discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security
association
log Log the packet
>
logical-system Packets are directed
to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a
filter
policer Name of policer to use to
rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named
prefix action
>
reject Reject the packet
>
routing-instance Packets are directed
to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current
type of chai
ned
filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information
about the packet
>
three-color-policer Police the packet
using a three-color-policer
topology Packets are directed to specified
topology
[edit
firewall]
jadmin@JR-1#
set family inet filter police-filter term police-tcp then ?
Possible
completions:
accept Accept the packet
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
count Count the packet in the named
counter
>
discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security
association
log Log the packet
>
logical-system Packets are directed
to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a
filter
policer Name of policer to use to
rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named
prefix action
>
reject Reject the packet
>
routing-instance Packets are directed
to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current
type of chai
ned
filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information
about the packet
>
three-color-policer Police the packet
using a three-color-policer
topology Packets are directed to specified
topology
[edit
firewall]
jadmin@JR-1#
set family inet filter police-filter term police-tcp then policer ?
Possible
completions:
<policer> Name of policer to use to
rate-limit traffic
police-10m
[edit
firewall]
jadmin@JR-1#
set family inet filter police-filter term police-tcp then policer police-10m
jadmin@JR-1#
set family inet filter police-filter term police-tcp then ?
Possible
completions:
accept Accept the packet
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
count Count the packet in the named
counter
>
discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security
association
log Log the packet
>
logical-system Packets are directed
to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a
filter
policer Name of policer to use to
rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named
prefix action
>
reject Reject the packet
>
routing-instance Packets are directed
to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current
type of chai
ned
filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information
about the packet
>
three-color-policer Police the packet
using a three-color-policer
topology Packets are directed to specified
topology
[edit
firewall]
jadmin@JR-1#
set family inet filter police-filter term police-tcp then forwarding-class ?
Possible
completions:
<forwarding-class> Classify packet to forwarding class
assured-forwarding
best-effort
expedited-forwarding
network-control
[edit
firewall]
jadmin@JR-1#
set family inet filter police-filter term police-tcp then forwarding-class
assured-forwarding
jadmin@JR-1#
set family inet filter police-filter term police-tcp then accept
[edit
firewall]
jadmin@JR-1#
show
family
inet {
filter block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
filter web-in {
term allow-http {
from {
destination-address {
192.168.1.100/32;
}
protocol tcp;
port http;
}
}
term block-other-http {
from {
protocol tcp;
port http;
}
then {
discard;
}
}
}
filter limit-ssh-re {
term allow-ssh {
from {
source-prefix-list {
trust-ssh-list; ##
'trust-ssh-list' is not defined
}
protocol tcp;
destination-port ssh;
}
}
term block-ssh {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term else-allow {
then accept;
}
}
filter
police-filter {
term
police-tcp {
from {
protocol tcp;
}
then {
policer police-10m;
forwarding-class assured-forwarding;
accept;
}
}
}
}
policer police-10m {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 62500;
}
then
forwarding-class best-effort;
}
[edit
firewall]
Automated
Antispoof Filters (Unicast Reverse Path Forwarding - uRPF)
The
unicast reverse path-forwarding (uRPF) validates receipt packet on interfaces
where the system would expect to receive such traffic. By default, the Junos OS
expects to receive traffic on a given interface if it has an active route to
the packet's source address and if it received the packet on the interface that
is the next hop for the active route to the packet's source address. You
typically configure uRPF on an edge device.
Activating
uRPF increases Packet Forwarding Engine (PFE) memory usage since the Junos OS
accomplishes unicast RPF checks by downloading additional information to the
PFE.
By
default, the Junos OS runs the strict
mode RFP check. You can also use loose
mode RPF checks to only check a valid route to the source address exist in the
routing table. In general, the strict
mode provides the best results.
By
default, the Junos OS only checks for active paths to a given destination which
can cause legitimate traffic to be dropped when multiple network path exists
(asymmetric routing). Use the feasible-paths
option to consider all feasible paths.
[edit
firewall]
jadmin@JR-1#
top edit routing-options
[edit
routing-options]
jadmin@JR-1#
set forwarding-table ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
+
export Export policy
indexed-next-hop Krt new style indexed nexthop
indirect-next-hop Install indirect next hops in Packet
Forwarding Engine
no-indirect-next-hop Don't install indirect next hops in Packet
Forwarding En
gine
unicast-reverse-path Unicast reverse path (RP) verification
[edit
routing-options]
jadmin@JR-1#
set forwarding-table unicast-reverse-path ?
Possible
completions:
active-paths Consider active paths when performing
RP verification
feasible-paths Consider all feasible paths for RP
verification
[edit
routing-options]
jadmin@JR-1#
set forwarding-table unicast-reverse-path feasible-paths
[edit
routing-options]
jadmin@JR-1#
show
forwarding-table {
unicast-reverse-path feasible-paths;
}
[edit
routing-options]
Case
Study: Stateless Firewall Filter
I initially tested ping, Telnet and SSH connectivity from JR1 to JR2.
jadmin@JR1>
ping 172.20.2.1 count 5 rapid
PING
172.20.2.1 (172.20.2.1): 56 data bytes
!!!!!
---
172.20.2.1 ping statistics ---
5 packets
transmitted, 5 packets received, 0% packet loss
round-trip
min/avg/max/stddev = 0.311/0.338/0.388/0.028 ms
jadmin@JR1>
telnet 172.20.2.1
Trying
172.20.2.1...
Connected
to 172.20.2.1.
Escape
character is '^]'.
Juniper
VM Lab - JR2
JR2
(ttyp1)
login:
jadmin
Password:
--- JUNOS
12.1R1.9 built 2012-03-24 12:52:33 UTC
jadmin@JR2>
jadmin@JR1>
ssh 172.20.2.1
The
authenticity of host '172.20.2.1 (172.20.2.1)' can't be established.
ECDSA key
fingerprint is 88:71:b7:cc:81:e6:65:d5:27:fc:7b:13:7a:18:51:ef.
Are you
sure you want to continue connecting (yes/no)? yes
Warning:
Permanently added '172.20.2.1' (ECDSA) to the list of known hosts.
Juniper
VM Lab - JR2
jadmin@172.20.2.1's
password:
--- JUNOS
12.1R1.9 built 2012-03-24 12:52:33 UTC
jadmin@JR2>
jadmin@JR2>
configure
Entering
configuration mode
Users
currently editing the configuration:
root terminal v0 (pid 1482) on since
2020-10-25 10:39:29 UTC, idle 01:40:00
[edit system login]
[edit]
jadmin@JR2#
edit firewall ?
Possible
completions:
<[Enter]> Execute this command
>
family Protocol family
>
filter Define an IPv4
firewall filter
>
hierarchical-policer Hierarchical
policer template definition
>
interface-set Interface set
definition
>
policer Policer template
definition
>
three-color-policer Three-color policer
| Pipe through a command
[edit]
jadmin@JR2#
edit firewall family ?
Possible
completions:
>
any Protocol-independent
filter
>
ccc Protocol family CCC
for firewall filter
>
inet Protocol family IPv4
for firewall filter
>
inet6 Protocol family IPv6
for firewall filter
>
mpls Protocol family MPLS
for firewall filter
>
vpls Protocol family VPLS
for firewall filter
[edit]
jadmin@JR2#
edit firewall family inet ?
Possible
completions:
<[Enter]> Execute this command
>
filter Define an IPv4
firewall filter
>
prefix-action Define a prefix
action
>
service-filter One or more IPv4
service filters
| Pipe through a command
[edit]
jadmin@JR2#
edit firewall family inet filter ?
Possible
completions:
<filter-name> Filter name
[edit]
jadmin@JR2#
edit firewall family inet filter input-filter-lo0
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term ?
Possible
completions:
<rule-name> Term name
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-telnet ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
filter Filter to include
>
from Define match
criteria
>
then Action to take if
the 'from' condition is matched
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-telnet from ?
Possible
completions:
>
address Match IP source or
destination address
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
destination-address Match IP destination
address
+
destination-port Match TCP/UDP
destination port
+
destination-port-except Do not match
TCP/UDP destination port
>
destination-prefix-list Match IP
destination prefixes in named list
+
dscp Match Differentiated
Services (DiffServ) code point
+
dscp-except Do not match
Differentiated Services (DiffServ) code poin
t
+
esp-spi Match IPSec ESP SPI
value
+
esp-spi-except Do not match IPSec
ESP SPI value
first-fragment Match if packet is the first fragment
+
forwarding-class Match forwarding
class
+
forwarding-class-except Do not match
forwarding class
fragment-flags Match fragment flags (in symbolic or hex
formats) - (Ingr
ess only)
+
fragment-offset Match fragment
offset
+
fragment-offset-except Do not match
fragment offset
+
icmp-code Match ICMP message
code
+
icmp-code-except Do not match ICMP
message code
+
icmp-type Match ICMP message
type
+
icmp-type-except Do not match ICMP
message type
>
interface Match interface name
+
interface-group Match interface
group
+
interface-group-except Do not match
interface group
>
interface-set Match interface in
set
+
ip-options Match IP options
+
ip-options-except Do not match IP
options
is-fragment Match if packet is a fragment
+
packet-length Match packet length
+
packet-length-except Do not match packet
length
+
port Match TCP/UDP source
or destination port
+
port-except Do not match TCP/UDP
source or destination port
+
precedence Match IP precedence
value
+
precedence-except Do not match IP
precedence value
>
prefix-list Match IP source or
destination prefixes in named list
+
protocol Match IP protocol
type
+
protocol-except Do not match IP
protocol type
service-filter-hit Match if service-filter-hit is set
>
source-address Match IP source
address
+
source-port Match TCP/UDP source
port
+
source-port-except Do not match TCP/UDP
source port
>
source-prefix-list Match IP source
prefixes in named list
tcp-established Match packet of an established TCP
connection
tcp-flags Match TCP flags (in symbolic or hex
formats)
tcp-initial Match initial packet of a TCP
connection
+
ttl Match IP ttl type
+
ttl-except Do not match IP ttl
type
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-telnet from protocol ?
Possible
completions:
<range> Range of values
[ Open a set of values
ah IP Security authentication
header
dstopts IPv6 destination options
egp Exterior gateway protocol
esp IPSec Encapsulating Security
Payload
fragment IPv6 fragment header
gre Generic routing encapsulation
hop-by-hop IPv6 hop-by-hop options
icmp Internet Control Message
Protocol
icmp6 Internet Control Message
Protocol Version 6
igmp Internet Group Management
Protocol
ipip IP in IP
ipv6 IPv6 in IP
no-next-header IPv6 no next header
ospf Open Shortest Path First
pim Protocol Independent
Multicast
routing IPv6 routing header
rsvp Resource Reservation Protocol
sctp Stream Control Transmission
Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
vrrp Virtual Router Redundancy
Protocol
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-telnet from protocol tcp
jadmin@JR2#
set term block-telnet from destination-port ?
Possible
completions:
<range> Range of values
[ Open a set of values
afs AFS
bgp Border Gateway Protocol
biff Biff/Comsat
bootpc Bootstrap protocol client
bootps Bootstrap protocol server
cmd UNIX rsh
cvspserver CVS pserver
dhcp Dynamic Host Configuration
Protocol
domain Domain Name System (DNS)
eklogin Encrypted Kerberos rlogin
ekshell Encrypted Kerberos rsh
exec UNIX rexec
finger Finger
ftp FTP
ftp-data FTP data
http Hypertext Transfer Protocol
https Secure HTTP
ident Ident
imap Internet Message Access
Protocol
kerberos-sec Kerberos Security
klogin Kerberos rlogin
kpasswd Kerberos passwd
krb-prop Kerberos database propagation
krbupdate Kerberos database update
kshell Kerberos rsh
ldap Lightweight Directory Access
Protocol
ldp Label Distribution Protocol
login UNIX rlogin
mobileip-agent Mobile IP agent
mobilip-mn Mobile IP MN
msdp Multicast Source Discovery
Protocol
netbios-dgm NetBIOS DGM
netbios-ns NetBIOS name service
netbios-ssn NetBIOS session service
nfsd Network File System
nntp Network News Transport
Protocol
ntalk New Talk
ntp Network Time Protocol
pop3 Post Office Protocol 3
pptp Point-to-Point Tunneling
Protocol
printer Printer
radacct RADIUS accounting
radius RADIUS authentication
rip Routing Information Protocol
rkinit Kerberos remote kinit
smtp Simple Mail Transfer Protocol
snmp Simple Network Management
Protocol
snmptrap SNMP traps
snpp Simple paging protocol
socks Socks
ssh Secure shell
sunrpc Sun Microsystems remote
procedure call
syslog System log
tacacs TACACS or TACACS+
tacacs-ds TACACS-DS
talk UNIX Talk
telnet Telnet
tftp Trivial FTP
timed UNIX time daemon
who UNIX rwho
xdmcp X Display Manager Control
Protocol
zephyr-clt Zephyr serv-hm connection
zephyr-hm Zephyr hostmanager
zephyr-srv Zephyr server
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-telnet from destination-port telnet
jadmin@JR2#
set term block-telnet then ?
Possible
completions:
accept Accept the packet
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
count Count the packet in the named
counter
>
discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security
association
log Log the packet
>
logical-system Packets are directed
to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a
filter
policer Name of policer to use to
rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named
prefix action
>
reject Reject the packet
>
routing-instance Packets are directed
to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current
type of chai
ned
filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information
about the packet
>
three-color-policer Police the packet
using a three-color-policer
topology Packets are directed to specified
topology
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-telnet then discard
jadmin@JR2#
set term block-icmp from protocol icmp
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-icmp from icmp-type ?
Possible
completions:
<range> Range of values
[ Open a set of values
echo-reply Echo reply
echo-request Echo request
info-reply Informational reply
info-request Informational request
mask-reply Mask reply
mask-request Mask request
parameter-problem Parameter problem
redirect Redirect
router-advertisement Router advertisement
router-solicit Router solicit
source-quench Source quench
time-exceeded Time exceeded
timestamp Timestamp
timestamp-reply Timestamp reply
unreachable Unreachable
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
set term block-icmp from icmp-type echo-request
jadmin@JR2#
set term block-icmp then discard
jadmin@JR2#
set term else-accept then accept
jadmin@JR2#
show
term
block-telnet {
from {
protocol tcp;
destination-port telnet;
}
then {
discard;
}
}
term
block-icmp {
from {
protocol icmp;
icmp-type echo-request;
}
then {
discard;
}
}
term
else-accept {
then accept;
}
[edit
firewall family inet filter input-filter-lo0]
jadmin@JR2#
top edit interfaces lo0.0
[edit
interfaces lo0 unit 0]
jadmin@JR2#
set family inet ?
Possible
completions:
<[Enter]> Execute this command
>
address Interface
address/destination prefix
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
>
filter Packet filtering
no-neighbor-learn Disable neighbor address learning on
interface
no-redirects Do not redirect traffic
>
policer Interface policing
primary Candidate for primary interface
in system
>
unnumbered-address Unnumbered interface
address/destination prefix
| Pipe through a command
[edit
interfaces lo0 unit 0]
jadmin@JR2#
set family inet filter ?
Possible
completions:
+
apply-groups Groups from which to
inherit configuration data
+
apply-groups-except Don't inherit
configuration data from these groups
group Group to which interface
belongs (1..255)
>
input Filter to be applied
to received packets
+
input-list List of filter
modules applied to received packets
>
output Filter to be applied
to transmitted packets
+
output-list List of filter
modules applied to transmitted packets
[edit
interfaces lo0 unit 0]
jadmin@JR2#
set family inet filter input ?
Possible
completions:
input-filter-lo0 [firewall family inet filter]
[edit
interfaces lo0 unit 0]
jadmin@JR2#
set family inet filter input input-filter-lo0
[edit
interfaces lo0 unit 0]
jadmin@JR2#
show
family
inet {
filter {
input input-filter-lo0;
}
address 172.20.2.1/32;
}
[edit
interfaces lo0 unit 0]
jadmin@JR2#
commit and-quit
commit
complete
Exiting
configuration mode
I tested again with the Firewall Filter policy applied on JR2. Notice only SSH traffic was allowed.
jadmin@JR1>
ping 172.20.2.1
PING
172.20.2.1 (172.20.2.1): 56 data bytes
^C
---
172.20.2.1 ping statistics ---
4 packets
transmitted, 0 packets received, 100% packet loss
jadmin@JR1>
telnet 172.20.2.1
Trying
172.20.2.1...
^C
jadmin@JR1>
ssh 172.20.2.1
Juniper
VM Lab - JR2
jadmin@172.20.2.1's
password:
--- JUNOS
12.1R1.9 built 2012-03-24 12:52:33 UTC
Below are the configurations for JR1 and JR2, repsectively.
JR2
edit firewall family inet filter input-filter-lo0
set term block-telnet from protocol tcp
set term block-telnet from destination-port telnet
set term block-telnet then discard
set term block-icmp from protocol icmp
set term block-icmp from icmp-type echo-request
set term block-icmp then discard
set term else-accept then accept
show
edit interfaces lo0.0
set family inet filter input input-filter-lo0
show
commit and-quit
show firewall counter filter input-filter-lo0
inbound-discarded
show firewall log
JR1
ping 172.20.2.1
telnet 172.20.2.1
ssh 172.20.2.1
