Friday, June 4, 2021

Juniper Networks Stateless Firewall Filter

Firewall Filters (ACL in Cisco)

 

The Junos OS firewall filters are stateless in nature and primarily used to control traffic passing (transit) through the device. Stateless firewall filters examine each packet individually and has no concept of connections (stateful). Since stateless firewall filters doesn't keep stateful connection info, you must explicitly allow traffic in both directions for each connection to be permitted. By contrast, stateful firewall filters only require to permit the initial connection and it will automatically permit bidirectional traffic.

 

 

Building Blocks of Firewall Filters

 

Routing policies and firewall filters have the same common structure but serve different purposes and have different match (from) and action (then) conditions.

 

As with routing policy, the fundamental building block of a firewall filter is a term. A firewall filter require at least one term. A term contains zero or more match conditions and one or more actions. If all the match conditions are true, the Junos OS takes the specified action within the term. If no match conditions are specified, all traffic matches the firewall filter term and is subjected to the stated action.

 

A firewall filter always include a default term that discards all packets and does not explicitly permit through the defined terms (implicit deny in Cisco ACL). The order of the terms is very important and can impact the results.

 

The processing of fragments is more complicated with stateless firewall filter vs stateful firewall filter. The first fragment should have all the Layer 4 headers (TCP/UDP) but subsequent fragments will not. Attempting to check Layer 4 headers in fragments can produce unpredictable results. The Junos OS can still evaluate Layer 4 headers but the second and subsequent fragments do not contain these header info, so matches are unpredictable.

 

 

Categories of Match Conditions

 

Match conditions fall into 3 categories:

  1. Numeric range
  2. Address
  3. Bit-field match

 

A text synonym match conditions is equivalent to one or more match conditions. For example, the tcp-established match condition is a text synonym (alias) for the tcp-flag ack or the tcp-flag rst match conditions.

 

 

Common Actions

 

Common firewall filter actions include terminating actions, flow control and action modifiers. Note that when you apply a firewall filter and it does not explicitly allow traffic through one of the define terms, it discards traffic by default (silently drop packet without sending an ICMP unreachable message).

 

Terminating Actions:

  • accept
  • discard
  • reject

 

Flow Control:

  • next term
  • next filter

 

Action Modifiers:

  • count, log and syslog
  • forwarding-class and loss-priority
  • policer

 


Defining a Firewall Filter

 

Implementing a firewall filter has two steps:

  1. Define the firewall filter under the edit firewall hierarchy level. Because the Junos OS supports multiple protocol families, you should define under the appropriate family hierarchy level, i.e. edit firewall family inet for IPv4
  2. Apply the firewall filter to the interfaces or lo0 logical interface if destined for the system

 

The Junos OS does not create automatic "holes" in the lo0 firewall filter, therefore in addition to allowing management traffic, you should also allow the routing protocol and other control traffic to reach the Routing Engine (RE). The implicit silent discard, which discards traffic not explicitly allowed in a term can cause an undesirable effect.

 

jadmin@JR-1> configure

Entering configuration mode

Users currently editing the configuration:

  jadmin terminal v0 (pid 1480) on since 2020-10-21 12:35:46 SGT, idle 06:10:55

      [edit]

  jadmin terminal p0 (pid 5402) on since 2020-10-21 12:54:35 SGT, idle 05:27:06

      [edit protocols ospf]

The configuration has been changed but not committed

 

[edit]

jadmin@JR-1# edit firewall ?

Possible completions:

  <[Enter]>            Execute this command

> family               Protocol family

> filter               Define an IPv4 firewall filter

> hierarchical-policer  Hierarchical policer template definition

> interface-set        Interface set definition

> policer              Policer template definition

> three-color-policer  Three-color policer

  |                    Pipe through a command

[edit]

jadmin@JR-1# edit firewall family ?

Possible completions:

> any                  Protocol-independent filter

> ccc                  Protocol family CCC for firewall filter

> inet                 Protocol family IPv4 for firewall filter

> inet6                Protocol family IPv6 for firewall filter

> mpls                 Protocol family MPLS for firewall filter

> vpls                 Protocol family VPLS for firewall filter

[edit]

jadmin@JR-1# edit firewall family inet

 

[edit firewall family inet]

jadmin@JR-1# set filter ?

Possible completions:

  <filter-name>        Filter name

[edit firewall family inet]

jadmin@JR-1# set filter block-in ?

Possible completions:

+ accounting-profile   Accounting profile name

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  interface-specific   Defined counters are interface specific

> term                 Define a firewall term

[edit firewall family inet]

jadmin@JR-1# set filter block-in term ?

Possible completions:

  <rule-name>          Term name

[edit firewall family inet]

jadmin@JR-1# set filter block-in term block-source ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  filter               Filter to include

> from                 Define match criteria

> then                 Action to take if the 'from' condition is matched

[edit firewall family inet]

jadmin@JR-1# set filter block-in term block-source from ?

Possible completions:

> address              Match IP source or destination address

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> destination-address  Match IP destination address

+ destination-port     Match TCP/UDP destination port

+ destination-port-except  Do not match TCP/UDP destination port

> destination-prefix-list  Match IP destination prefixes in named list

+ dscp                 Match Differentiated Services (DiffServ) code point

+ dscp-except          Do not match Differentiated Services (DiffServ) code poin

t

+ esp-spi              Match IPSec ESP SPI value

+ esp-spi-except       Do not match IPSec ESP SPI value

  first-fragment       Match if packet is the first fragment

+ forwarding-class     Match forwarding class

+ forwarding-class-except  Do not match forwarding class

  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingr

ess only)

+ fragment-offset      Match fragment offset

+ fragment-offset-except  Do not match fragment offset

+ icmp-code            Match ICMP message code

+ icmp-code-except     Do not match ICMP message code

+ icmp-type            Match ICMP message type

+ icmp-type-except     Do not match ICMP message type

> interface            Match interface name

+ interface-group      Match interface group

+ interface-group-except  Do not match interface group

> interface-set        Match interface in set

+ ip-options           Match IP options

+ ip-options-except    Do not match IP options

  is-fragment          Match if packet is a fragment

+ packet-length        Match packet length

+ packet-length-except  Do not match packet length

+ port                 Match TCP/UDP source or destination port

+ port-except          Do not match TCP/UDP source or destination port

+ precedence           Match IP precedence value

+ precedence-except    Do not match IP precedence value

> prefix-list          Match IP source or destination prefixes in named list

+ protocol             Match IP protocol type

+ protocol-except      Do not match IP protocol type

  service-filter-hit   Match if service-filter-hit is set

> source-address       Match IP source address

+ source-port          Match TCP/UDP source port

+ source-port-except   Do not match TCP/UDP source port

> source-prefix-list   Match IP source prefixes in named list

  tcp-established      Match packet of an established TCP connection

  tcp-flags            Match TCP flags (in symbolic or hex formats)

  tcp-initial          Match initial packet of a TCP connection

+ ttl                  Match IP ttl type

+ ttl-except           Do not match IP ttl type

[edit firewall family inet]

jadmin@JR-1# set filter block-in term block-source from source-address ?

Possible completions:

  <address>            Prefix to match

[edit firewall family inet]

jadmin@JR-1# set filter block-in term block-source from source-address 10.10.10.0/24

 

jadmin@JR-1# set filter block-in term block-source then ?

Possible completions:

  accept               Accept the packet

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  count                Count the packet in the named counter

> discard              Discard the packet

  forwarding-class     Classify packet to forwarding class

  ipsec-sa             Use specified IPSec security association

  log                  Log the packet

> logical-system       Packets are directed to specified logical system

  loss-priority        Packet's loss priority

  next                 Continue to next term in a filter

  policer              Name of policer to use to rate-limit traffic

  port-mirror          Port-mirror the packet

  prefix-action        Police or count packets using named prefix action

> reject               Reject the packet

> routing-instance     Packets are directed to specified routing instance

  sample               Sample the packet

  service-accounting   Count the packets for service accounting

  service-filter-hit   Marked when packet processing by the current type of chai

ned filters is done, the packet is directed to the next type of filters

  syslog               System log (syslog) information about the packet

> three-color-policer  Police the packet using a three-color-policer

  topology             Packets are directed to specified topology

[edit firewall family inet]

jadmin@JR-1# set filter block-in term block-source then count ?

Possible completions:

  <count>              Count the packet in the named counter

[edit firewall family inet]

jadmin@JR-1# set filter block-in term block-source then count spoof-ip ?

Possible completions:

  <[Enter]>            Execute this command

  accept               Accept the packet

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> discard              Discard the packet

  forwarding-class     Classify packet to forwarding class

  ipsec-sa             Use specified IPSec security association

  log                  Log the packet

> logical-system       Packets are directed to specified logical system

  loss-priority        Packet's loss priority

  next                 Continue to next term in a filter

  policer              Name of policer to use to rate-limit traffic

  port-mirror          Port-mirror the packet

  prefix-action        Police or count packets using named prefix action

> reject               Reject the packet

> routing-instance     Packets are directed to specified routing instance

  sample               Sample the packet

  service-accounting   Count the packets for service accounting

  service-filter-hit   Marked when packet processing by the current type of chai

ned filters is done, the packet is directed to the next type of filters

  syslog               System log (syslog) information about the packet

> three-color-policer  Police the packet using a three-color-policer

  topology             Packets are directed to specified topology

  |                    Pipe through a command

[edit firewall family inet]

jadmin@JR-1# set filter block-in term block-source then count spoof-ip discard

 

jadmin@JR-1# set filter block-in term allow-other then accept

 

[edit firewall family inet]

jadmin@JR-1# show

filter block-in {

    term block-source {

        from {

            source-address {

                10.10.10.0/24;

            }

        }

        then {

            count spoof-ip;

            discard;

        }

    }

    term allow-other {

        then accept;

    }

}

 

[edit firewall family inet]

 

 

[edit firewall family inet]

jadmin@JR-1# top edit interfaces em0

 

[edit interfaces em0]

jadmin@JR-1# set unit 0 family inet ?

Possible completions:

  <[Enter]>            Execute this command

> accounting           Configure interface-based accounting options

> address              Interface address/destination prefix

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> filter               Packet filtering

  mac-validate         Validate source MAC address

  mtu                  Protocol family maximum transmission unit

  no-neighbor-learn    Disable neighbor address learning on interface

  no-redirects         Do not redirect traffic

> policer              Interface policing

  primary              Candidate for primary interface in system

> rpf-check            Enable reverse-path-forwarding checks on this interface

> sampling             Interface sampling

> service              Service operations

> unnumbered-address   Unnumbered interface address/destination prefix

  |                    Pipe through a command

[edit interfaces em0]

jadmin@JR-1# set unit 0 family inet filter ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  group                Group to which interface belongs (1..255)

> input                Filter to be applied to received packets

+ input-list           List of filter modules applied to received packets

> output               Filter to be applied to transmitted packets

+ output-list          List of filter modules applied to transmitted packets

[edit interfaces em0]

jadmin@JR-1# set unit 0 family inet filter input ?

Possible completions:

  block-in             [firewall family inet filter]

[edit interfaces em0]

jadmin@JR-1# set unit 0 family inet filter input block-in

 

[edit interfaces em0]

jadmin@JR-1# set unit 0 family inet filter output ?

Possible completions:

  block-in             [firewall family inet filter]

[edit interfaces em0]

jadmin@JR-1# set unit 0 family inet filter output block-out

 

[edit interfaces em0]

jadmin@JR-1# show

unit 0 {

    family inet {

        filter {

            input block-in;

            output block-out; ## reference 'block-out' not found

        }

        address 10.1.1.1/24;

    }

}

 

[edit interfaces em0]

 

jadmin@JR-1# commit ?

Possible completions:

  <[Enter]>            Execute this command

  and-quit             Quit configuration mode if commit succeeds

  at                   Time at which to activate configuration changes

  check                Check correctness of syntax; do not apply changes

  comment              Message to write to commit log

  confirmed            Automatically rollback if not confirmed

  |                    Pipe through a command

[edit interfaces em0]

jadmin@JR-1# commit confirmed   // TO AVOID BEING LOCKED OUT USE commit confirmed

 

 

The firewall filter example allows HTTP/web traffic to the destination host IP 192.168.1.100/32 and discard other web traffic.

 

[edit interfaces em0]

jadmin@JR-1# top edit firewall family inet

 

[edit firewall family inet]

jadmin@JR-1# set filter web-in term allow-http from destination-address ?

Possible completions:

  <address>            Prefix to match

[edit firewall family inet]

jadmin@JR-1# set filter web-in term allow-http from destination-address 192.168.1.100/32

 

jadmin@JR-1# set filter web-in term allow-http from protocol ?

Possible completions:

  <range>              Range of values

  [                    Open a set of values

  ah                   IP Security authentication header

  dstopts              IPv6 destination options

  egp                  Exterior gateway protocol

  esp                  IPSec Encapsulating Security Payload

  fragment             IPv6 fragment header

  gre                  Generic routing encapsulation

  hop-by-hop           IPv6 hop-by-hop options

  icmp                 Internet Control Message Protocol

  icmp6                Internet Control Message Protocol Version 6

  igmp                 Internet Group Management Protocol

  ipip                 IP in IP

  ipv6                 IPv6 in IP

  no-next-header       IPv6 no next header

  ospf                 Open Shortest Path First

  pim                  Protocol Independent Multicast

  routing              IPv6 routing header

  rsvp                 Resource Reservation Protocol

  sctp                 Stream Control Transmission Protocol

  tcp                  Transmission Control Protocol

  udp                  User Datagram Protocol

  vrrp                 Virtual Router Redundancy Protocol

[edit firewall family inet]

jadmin@JR-1# set filter web-in term allow-http from protocol tcp ?

Possible completions:

  <[Enter]>            Execute this command

> address              Match IP source or destination address

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> destination-address  Match IP destination address

+ destination-port     Match TCP/UDP destination port

+ destination-port-except  Do not match TCP/UDP destination port

> destination-prefix-list  Match IP destination prefixes in named list

+ dscp                 Match Differentiated Services (DiffServ) code point

+ dscp-except          Do not match Differentiated Services (DiffServ) code poin

t

+ esp-spi              Match IPSec ESP SPI value

+ esp-spi-except       Do not match IPSec ESP SPI value

  first-fragment       Match if packet is the first fragment

+ forwarding-class     Match forwarding class

+ forwarding-class-except  Do not match forwarding class

  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingr

ess only)

+ fragment-offset      Match fragment offset

+ fragment-offset-except  Do not match fragment offset

+ icmp-code            Match ICMP message code

+ icmp-code-except     Do not match ICMP message code

+ icmp-type            Match ICMP message type

+ icmp-type-except     Do not match ICMP message type

> interface            Match interface name

+ interface-group      Match interface group

+ interface-group-except  Do not match interface group

> interface-set        Match interface in set

+ ip-options           Match IP options

+ ip-options-except    Do not match IP options

  is-fragment          Match if packet is a fragment

+ packet-length        Match packet length

+ packet-length-except  Do not match packet length

+ port                 Match TCP/UDP source or destination port

+ port-except          Do not match TCP/UDP source or destination port

+ precedence           Match IP precedence value

+ precedence-except    Do not match IP precedence value

> prefix-list          Match IP source or destination prefixes in named list

+ protocol             Match IP protocol type

+ protocol-except      Do not match IP protocol type

  service-filter-hit   Match if service-filter-hit is set

> source-address       Match IP source address

+ source-port          Match TCP/UDP source port

+ source-port-except   Do not match TCP/UDP source port

> source-prefix-list   Match IP source prefixes in named list

  tcp-established      Match packet of an established TCP connection

  tcp-flags            Match TCP flags (in symbolic or hex formats)

  tcp-initial          Match initial packet of a TCP connection

+ ttl                  Match IP ttl type

+ ttl-except           Do not match IP ttl type

  |                    Pipe through a command

[edit firewall family inet]

jadmin@JR-1# set filter web-in term allow-http from protocol tcp port ?

Possible completions:

  <range>              Range of values

  [                    Open a set of values

  afs                  AFS

  bgp                  Border Gateway Protocol

  biff                 Biff/Comsat

  bootpc               Bootstrap protocol client

  bootps               Bootstrap protocol server

  cmd                  UNIX rsh

  cvspserver           CVS pserver

  dhcp                 Dynamic Host Configuration Protocol

  domain               Domain Name System (DNS)

  eklogin              Encrypted Kerberos rlogin

  ekshell              Encrypted Kerberos rsh

  exec                 UNIX rexec

  finger               Finger

  ftp                  FTP

  ftp-data             FTP data

  http                 Hypertext Transfer Protocol

  https                Secure HTTP

  ident                Ident

  imap                 Internet Message Access Protocol

  kerberos-sec         Kerberos Security

  klogin               Kerberos rlogin

  kpasswd              Kerberos passwd

  krb-prop             Kerberos database propagation

  krbupdate            Kerberos database update

  kshell               Kerberos rsh

  ldap                 Lightweight Directory Access Protocol

  ldp                  Label Distribution Protocol

  login                UNIX rlogin

  mobileip-agent       Mobile IP agent

  mobilip-mn           Mobile IP MN

  msdp                 Multicast Source Discovery Protocol

  netbios-dgm          NetBIOS DGM

  netbios-ns           NetBIOS name service

  netbios-ssn          NetBIOS session service

  nfsd                 Network File System

  nntp                 Network News Transport Protocol

  ntalk                New Talk

  ntp                  Network Time Protocol

  pop3                 Post Office Protocol 3

  pptp                 Point-to-Point Tunneling Protocol

  printer              Printer

  radacct              RADIUS accounting

  radius               RADIUS authentication

  rip                  Routing Information Protocol

  rkinit               Kerberos remote kinit

  smtp                 Simple Mail Transfer Protocol

  snmp                 Simple Network Management Protocol

  snmptrap             SNMP traps

  snpp                 Simple paging protocol

  socks                Socks

  ssh                  Secure shell

  sunrpc               Sun Microsystems remote procedure call

  syslog               System log

  tacacs               TACACS or TACACS+

  tacacs-ds            TACACS-DS

  talk                 UNIX Talk

  telnet               Telnet

  tftp                 Trivial FTP

  timed                UNIX time daemon

  who                  UNIX rwho

  xdmcp                X Display Manager Control Protocol

  zephyr-clt           Zephyr serv-hm connection

  zephyr-hm            Zephyr hostmanager

  zephyr-srv           Zephyr server

[edit firewall family inet]

jadmin@JR-1# set filter web-in term allow-http from protocol tcp port http

 

jadmin@JR-1# set filter web-in term block-other-http from protocol tcp port http

jadmin@JR-1# set filter web-in term block-other-http then discard

 

jadmin@JR-1# show

filter block-in {

    term block-source {

        from {

            source-address {

                10.10.10.0/24;

            }

        }

        then {

            count spoof-ip;

            discard;

        }

    }

    term allow-other {

        then accept;

    }

}

filter web-in {

    term allow-http {

        from {

            destination-address {

                192.168.1.100/32;

            }

            protocol tcp;

            port http;

        }

    }

    term block-other-http {

        from {

            protocol tcp;

            port http;

        }

        then {

            discard;

        }

    }

}

 

[edit firewall family inet]

 

 

The firewall filter example limits SSH traffic to the Routing Engine (RE).

 

[edit firewall family inet]

jadmin@JR-1# set filter limit-ssh-re term allow-ssh from source-prefix-list ?

Possible completions:

  <name>               Prefix list to match

[edit firewall family inet]

jadmin@JR-1# set filter limit-ssh-re term allow-ssh from source-prefix-list trust-ssh-list

jadmin@JR-1# set filter limit-ssh-re term allow-ssh from protocol tcp

jadmin@JR-1# set filter limit-ssh-re term allow-ssh from destination-port ssh

 

jadmin@JR-1# set filter limit-ssh-re term block-ssh from protocol tcp

jadmin@JR-1# set filter limit-ssh-re term block-ssh from destination-port ssh

jadmin@JR-1# set filter limit-ssh-re term block-ssh then discard

 

jadmin@JR-1# set filter limit-ssh-re term else-allow then accept

 

jadmin@JR-1# show

filter block-in {

    term block-source {

        from {

            source-address {

                10.10.10.0/24;

            }

        }

        then {

            count spoof-ip;

            discard;

        }

    }

    term allow-other {

        then accept;

    }

}

filter web-in {

    term allow-http {

        from {

            destination-address {

                192.168.1.100/32;

            }

            protocol tcp;

            port http;

        }

    }

    term block-other-http {

        from {

            protocol tcp;

            port http;

        }

        then {

            discard;

        }

    }

}

filter limit-ssh-re {

    term allow-ssh {

        from {

            source-prefix-list {

                trust-ssh-list; ## 'trust-ssh-list' is not defined

            }

            protocol tcp;

            destination-port ssh;

        }

    }

    term block-ssh {

        from {

            protocol tcp;

            destination-port ssh;

        }

        then {

            discard;

        }

    }

    term else-allow {     // ALLOW OTHER TRAFFIC: ROUTING PROTOCOL AND MANAGEMENT TRAFFIC TO RE (SNMP, NTP, ETC)

        then accept;

    }

}

 

[edit firewall family inet]

 

 

[edit firewall family inet]

jadmin@JR-1# top edit interfaces lo0

jadmin@JR-1# set unit 0 family inet filter input ?

Possible completions:

  block-in             [firewall family inet filter]

  limit-ssh-re         [firewall family inet filter]

  web-in               [firewall family inet filter]

[edit interfaces lo0]

jadmin@JR-1# set unit 0 family inet filter input limit-ssh-re

 

[edit interfaces lo0]

jadmin@JR-1# show

unit 0 {

    family inet {

        filter {

            input limit-ssh-re;

        }

    }

}

 

 

Policing

 

Firewall filters can also police or rate-limit traffic passing into or out of an interface. The Junos OS policing employs the token-bucket algorithm, which enforces a limit on average bandwidth while allowing bursts up to a specified maximum value. You can configure two rate limits for the traffic: bandwidth, which is the number of bits per second permitted on average, and maximum burst size, which defines the total number of bytes the system allows in bursts of data that exceed the given bandwidth limit.

 

The preferred method for determining the maximum burst size is to multiply the speed of interface by the amount of time bursts that you want to allow at that bandwidth level:

 

Burst size = bandwidth (100,000,000 bits per second) x allowable burst time (5/1000s, 5ms)  = 500,000 bits

       = 500,000 bits / 8 (to convert into bytes) = 62500 bytes

 

 

You specify the bandwidth as a number of bits using the bandwidth-limit statement. You specify the maximum burst size as a number of bytes using the burst-size-limit statement.

 

You can use the k (kbs), m (mbps) and g (gbps) to indicate one thousand, one million and one billion bytes or bits, respectively.

 

[edit interfaces lo0]

jadmin@JR-1# top edit firewall

 

[edit firewall]

jadmin@JR-1# set policer ?

Possible completions:

  <policer-name>       Policer name

[edit firewall]

jadmin@JR-1# set policer police-10m ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  filter-specific      Policer is filter-specific

> if-exceeding         Define rate limits

  logical-bandwidth-policer  Policer uses logical interface bandwidth

  logical-interface-policer  Policer is logical interface policer

> then                 Action to take if the rate limits are exceeded

[edit firewall]

jadmin@JR-1# set policer police-10m if-exceeding ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  bandwidth-limit      Bandwidth limit (32000..50000000000 bits per second)

  bandwidth-percent    Bandwidth limit in percentage (1..100 percent)

  burst-size-limit     Burst size limit (1500..100000000000 bytes)

  |                    Pipe through a command

[edit firewall]

jadmin@JR-1# set policer police-10m if-exceeding bandwidth-limit ?

Possible completions:

  <bandwidth-limit>    Bandwidth limit (32000..50000000000 bits per second)

[edit firewall]

jadmin@JR-1# set policer police-10m if-exceeding bandwidth-limit 10m

 

jadmin@JR-1# set policer police-10m if-exceeding burst-size-limit ?

Possible completions:

  <burst-size-limit>   Burst size limit (1500..100000000000 bytes)

[edit firewall]

jadmin@JR-1# set policer police-10m if-exceeding burst-size-limit 62500

 

jadmin@JR-1# set policer police-10m then ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  discard              Discard the packet

  forwarding-class     Classify packet to forwarding class

  loss-priority        Packet's loss priority

[edit firewall]

jadmin@JR-1# set policer police-10m then forwarding-class ?

Possible completions:

  <forwarding-class>   Classify packet to forwarding class

  assured-forwarding

  best-effort

  expedited-forwarding

  network-control

[edit firewall]

jadmin@JR-1# set policer police-10m then forwarding-class best-effort

 

jadmin@JR-1# set family inet?

Possible completions:

> inet                 Protocol family IPv4 for firewall filter

> inet6                Protocol family IPv6 for firewall filter

[edit firewall]

jadmin@JR-1# set family inet ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> filter               Define an IPv4 firewall filter

> prefix-action        Define a prefix action

> service-filter       One or more IPv4 service filters

[edit firewall]

jadmin@JR-1# set family inet filter ?

Possible completions:

  <filter-name>        Filter name

  block-in             Filter name

  limit-ssh-re         Filter name

  web-in               Filter name

[edit firewall]

jadmin@JR-1# set family inet filter police-filter ?

Possible completions:

+ accounting-profile   Accounting profile name

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  interface-specific   Defined counters are interface specific

> term                 Define a firewall term

[edit firewall]

jadmin@JR-1# set family inet filter police-filter term police-tcp from protocol tcp

 

jadmin@JR-1# set family inet filter police-filter term police-tcp then ?

Possible completions:

  accept               Accept the packet

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  count                Count the packet in the named counter

> discard              Discard the packet

  forwarding-class     Classify packet to forwarding class

  ipsec-sa             Use specified IPSec security association

  log                  Log the packet

> logical-system       Packets are directed to specified logical system

  loss-priority        Packet's loss priority

  next                 Continue to next term in a filter

  policer              Name of policer to use to rate-limit traffic

  port-mirror          Port-mirror the packet

  prefix-action        Police or count packets using named prefix action

> reject               Reject the packet

> routing-instance     Packets are directed to specified routing instance

  sample               Sample the packet

  service-accounting   Count the packets for service accounting

  service-filter-hit   Marked when packet processing by the current type of chai

ned filters is done, the packet is directed to the next type of filters

  syslog               System log (syslog) information about the packet

> three-color-policer  Police the packet using a three-color-policer

  topology             Packets are directed to specified topology

[edit firewall]

jadmin@JR-1# set family inet filter police-filter term police-tcp then ?

Possible completions:

  accept               Accept the packet

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  count                Count the packet in the named counter

> discard              Discard the packet

  forwarding-class     Classify packet to forwarding class

  ipsec-sa             Use specified IPSec security association

  log                  Log the packet

> logical-system       Packets are directed to specified logical system

  loss-priority        Packet's loss priority

  next                 Continue to next term in a filter

  policer              Name of policer to use to rate-limit traffic

  port-mirror          Port-mirror the packet

  prefix-action        Police or count packets using named prefix action

> reject               Reject the packet

> routing-instance     Packets are directed to specified routing instance

  sample               Sample the packet

  service-accounting   Count the packets for service accounting

  service-filter-hit   Marked when packet processing by the current type of chai

ned filters is done, the packet is directed to the next type of filters

  syslog               System log (syslog) information about the packet

> three-color-policer  Police the packet using a three-color-policer

  topology             Packets are directed to specified topology

[edit firewall]

jadmin@JR-1# set family inet filter police-filter term police-tcp then policer ?

Possible completions:

  <policer>            Name of policer to use to rate-limit traffic

  police-10m

[edit firewall]

jadmin@JR-1# set family inet filter police-filter term police-tcp then policer police-10m

 

jadmin@JR-1# set family inet filter police-filter term police-tcp then ?

Possible completions:

  accept               Accept the packet

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  count                Count the packet in the named counter

> discard              Discard the packet

  forwarding-class     Classify packet to forwarding class

  ipsec-sa             Use specified IPSec security association

  log                  Log the packet

> logical-system       Packets are directed to specified logical system

  loss-priority        Packet's loss priority

  next                 Continue to next term in a filter

  policer              Name of policer to use to rate-limit traffic

  port-mirror          Port-mirror the packet

  prefix-action        Police or count packets using named prefix action

> reject               Reject the packet

> routing-instance     Packets are directed to specified routing instance

  sample               Sample the packet

  service-accounting   Count the packets for service accounting

  service-filter-hit   Marked when packet processing by the current type of chai

ned filters is done, the packet is directed to the next type of filters

  syslog               System log (syslog) information about the packet

> three-color-policer  Police the packet using a three-color-policer

  topology             Packets are directed to specified topology

[edit firewall]

jadmin@JR-1# set family inet filter police-filter term police-tcp then forwarding-class ?

Possible completions:

  <forwarding-class>   Classify packet to forwarding class

  assured-forwarding

  best-effort

  expedited-forwarding

  network-control

[edit firewall]

jadmin@JR-1# set family inet filter police-filter term police-tcp then forwarding-class assured-forwarding

 

jadmin@JR-1# set family inet filter police-filter term police-tcp then accept

 

[edit firewall]

jadmin@JR-1# show

family inet {

    filter block-in {

        term block-source {

            from {

                source-address {

                    10.10.10.0/24;

                }

            }

            then {

                count spoof-ip;

                discard;

            }

        }

        term allow-other {

            then accept;

        }

    }

    filter web-in {

        term allow-http {

            from {

                destination-address {

                    192.168.1.100/32;

                }

                protocol tcp;

                port http;

            }

        }

        term block-other-http {

            from {

                protocol tcp;

                port http;

            }

            then {

                discard;

            }

        }

    }

    filter limit-ssh-re {

        term allow-ssh {

            from {

                source-prefix-list {

                    trust-ssh-list; ## 'trust-ssh-list' is not defined

                }

                protocol tcp;

                destination-port ssh;

            }

        }

        term block-ssh {

            from {

                protocol tcp;

                destination-port ssh;

            }

            then {

                discard;

            }

        }

        term else-allow {

            then accept;

        }

    }

    filter police-filter {

        term police-tcp {

            from {

                protocol tcp;

            }

            then {

                policer police-10m;

                forwarding-class assured-forwarding;

                accept;

            }

        }

    }

}

policer police-10m {

    if-exceeding {

        bandwidth-limit 10m;

        burst-size-limit 62500;

    }

    then forwarding-class best-effort;

}

 

[edit firewall]

 

 

Automated Antispoof Filters (Unicast Reverse Path Forwarding - uRPF)

 

The unicast reverse path-forwarding (uRPF) validates receipt packet on interfaces where the system would expect to receive such traffic. By default, the Junos OS expects to receive traffic on a given interface if it has an active route to the packet's source address and if it received the packet on the interface that is the next hop for the active route to the packet's source address. You typically configure uRPF on an edge device.

 

Activating uRPF increases Packet Forwarding Engine (PFE) memory usage since the Junos OS accomplishes unicast RPF checks by downloading additional information to the PFE.

 

By default, the Junos OS runs the strict mode RFP check. You can also use loose mode RPF checks to only check a valid route to the source address exist in the routing table. In general, the strict mode provides the best results.

 

By default, the Junos OS only checks for active paths to a given destination which can cause legitimate traffic to be dropped when multiple network path exists (asymmetric routing). Use the feasible-paths option to consider all feasible paths.

 

 

[edit firewall]

jadmin@JR-1# top edit routing-options

 

[edit routing-options]

jadmin@JR-1# set forwarding-table ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

+ export               Export policy

  indexed-next-hop     Krt new style indexed nexthop

  indirect-next-hop    Install indirect next hops in Packet Forwarding Engine

  no-indirect-next-hop  Don't install indirect next hops in Packet Forwarding En

gine

  unicast-reverse-path  Unicast reverse path (RP) verification

[edit routing-options]

jadmin@JR-1# set forwarding-table unicast-reverse-path ?

Possible completions:

  active-paths         Consider active paths when performing RP verification

  feasible-paths       Consider all feasible paths for RP verification

[edit routing-options]

jadmin@JR-1# set forwarding-table unicast-reverse-path feasible-paths

 

[edit routing-options]

jadmin@JR-1# show

forwarding-table {

    unicast-reverse-path feasible-paths;

}

 

[edit routing-options]

 

 

Case Study: Stateless Firewall Filter

 

I initially tested ping, Telnet and SSH connectivity from JR1 to JR2.

 

jadmin@JR1> ping 172.20.2.1 count 5 rapid

PING 172.20.2.1 (172.20.2.1): 56 data bytes

!!!!!

--- 172.20.2.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.311/0.338/0.388/0.028 ms

 

 

jadmin@JR1> telnet 172.20.2.1

Trying 172.20.2.1...

Connected to 172.20.2.1.

Escape character is '^]'.

Juniper VM Lab - JR2

 

JR2 (ttyp1)

 

login: jadmin

Password:

 

--- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC

jadmin@JR2>

 

 

jadmin@JR1> ssh 172.20.2.1

The authenticity of host '172.20.2.1 (172.20.2.1)' can't be established.

ECDSA key fingerprint is 88:71:b7:cc:81:e6:65:d5:27:fc:7b:13:7a:18:51:ef.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.20.2.1' (ECDSA) to the list of known hosts.

Juniper VM Lab - JR2

jadmin@172.20.2.1's password:

--- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC

jadmin@JR2>

 

 

jadmin@JR2> configure

Entering configuration mode

Users currently editing the configuration:

  root terminal v0 (pid 1482) on since 2020-10-25 10:39:29 UTC, idle 01:40:00

      [edit system login]

 

[edit]

jadmin@JR2# edit firewall ?

Possible completions:

  <[Enter]>            Execute this command

> family               Protocol family

> filter               Define an IPv4 firewall filter

> hierarchical-policer  Hierarchical policer template definition

> interface-set        Interface set definition

> policer              Policer template definition

> three-color-policer  Three-color policer

  |                    Pipe through a command

[edit]

jadmin@JR2# edit firewall family ?

Possible completions:

> any                  Protocol-independent filter

> ccc                  Protocol family CCC for firewall filter

> inet                 Protocol family IPv4 for firewall filter

> inet6                Protocol family IPv6 for firewall filter

> mpls                 Protocol family MPLS for firewall filter

> vpls                 Protocol family VPLS for firewall filter

[edit]

jadmin@JR2# edit firewall family inet ?

Possible completions:

  <[Enter]>            Execute this command

> filter               Define an IPv4 firewall filter

> prefix-action        Define a prefix action

> service-filter       One or more IPv4 service filters

  |                    Pipe through a command

[edit]

jadmin@JR2# edit firewall family inet filter ?

Possible completions:

  <filter-name>        Filter name

[edit]

jadmin@JR2# edit firewall family inet filter input-filter-lo0

 

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term ?

Possible completions:

  <rule-name>          Term name

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-telnet ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  filter               Filter to include

> from                 Define match criteria

> then                 Action to take if the 'from' condition is matched

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-telnet from ?

Possible completions:

> address              Match IP source or destination address

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> destination-address  Match IP destination address

+ destination-port     Match TCP/UDP destination port

+ destination-port-except  Do not match TCP/UDP destination port

> destination-prefix-list  Match IP destination prefixes in named list

+ dscp                 Match Differentiated Services (DiffServ) code point

+ dscp-except          Do not match Differentiated Services (DiffServ) code poin

t

+ esp-spi              Match IPSec ESP SPI value

+ esp-spi-except       Do not match IPSec ESP SPI value

  first-fragment       Match if packet is the first fragment

+ forwarding-class     Match forwarding class

+ forwarding-class-except  Do not match forwarding class

  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingr

ess only)

+ fragment-offset      Match fragment offset

+ fragment-offset-except  Do not match fragment offset

+ icmp-code            Match ICMP message code

+ icmp-code-except     Do not match ICMP message code

+ icmp-type            Match ICMP message type

+ icmp-type-except     Do not match ICMP message type

> interface            Match interface name

+ interface-group      Match interface group

+ interface-group-except  Do not match interface group

> interface-set        Match interface in set

+ ip-options           Match IP options

+ ip-options-except    Do not match IP options

  is-fragment          Match if packet is a fragment

+ packet-length        Match packet length

+ packet-length-except  Do not match packet length

+ port                 Match TCP/UDP source or destination port

+ port-except          Do not match TCP/UDP source or destination port

+ precedence           Match IP precedence value

+ precedence-except    Do not match IP precedence value

> prefix-list          Match IP source or destination prefixes in named list

+ protocol             Match IP protocol type

+ protocol-except      Do not match IP protocol type

  service-filter-hit   Match if service-filter-hit is set

> source-address       Match IP source address

+ source-port          Match TCP/UDP source port

+ source-port-except   Do not match TCP/UDP source port

> source-prefix-list   Match IP source prefixes in named list

  tcp-established      Match packet of an established TCP connection

  tcp-flags            Match TCP flags (in symbolic or hex formats)

  tcp-initial          Match initial packet of a TCP connection

+ ttl                  Match IP ttl type

+ ttl-except           Do not match IP ttl type

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-telnet from protocol ?

Possible completions:

  <range>              Range of values

  [                    Open a set of values

  ah                   IP Security authentication header

  dstopts              IPv6 destination options

  egp                  Exterior gateway protocol

  esp                  IPSec Encapsulating Security Payload

  fragment             IPv6 fragment header

  gre                  Generic routing encapsulation

  hop-by-hop           IPv6 hop-by-hop options

  icmp                 Internet Control Message Protocol

  icmp6                Internet Control Message Protocol Version 6

  igmp                 Internet Group Management Protocol

  ipip                 IP in IP

  ipv6                 IPv6 in IP

  no-next-header       IPv6 no next header

  ospf                 Open Shortest Path First

  pim                  Protocol Independent Multicast

  routing              IPv6 routing header

  rsvp                 Resource Reservation Protocol

  sctp                 Stream Control Transmission Protocol

  tcp                  Transmission Control Protocol

  udp                  User Datagram Protocol

  vrrp                 Virtual Router Redundancy Protocol

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-telnet from protocol tcp

 

jadmin@JR2# set term block-telnet from destination-port ?

Possible completions:

  <range>              Range of values

  [                    Open a set of values

  afs                  AFS

  bgp                  Border Gateway Protocol

  biff                 Biff/Comsat

  bootpc               Bootstrap protocol client

  bootps               Bootstrap protocol server

  cmd                  UNIX rsh

  cvspserver           CVS pserver

  dhcp                 Dynamic Host Configuration Protocol

  domain               Domain Name System (DNS)

  eklogin              Encrypted Kerberos rlogin

  ekshell              Encrypted Kerberos rsh

  exec                 UNIX rexec

  finger               Finger

  ftp                  FTP

  ftp-data             FTP data

  http                 Hypertext Transfer Protocol

  https                Secure HTTP

  ident                Ident

  imap                 Internet Message Access Protocol

  kerberos-sec         Kerberos Security

  klogin               Kerberos rlogin

  kpasswd              Kerberos passwd

  krb-prop             Kerberos database propagation

  krbupdate            Kerberos database update

  kshell               Kerberos rsh

  ldap                 Lightweight Directory Access Protocol

  ldp                  Label Distribution Protocol

  login                UNIX rlogin

  mobileip-agent       Mobile IP agent

  mobilip-mn           Mobile IP MN

  msdp                 Multicast Source Discovery Protocol

  netbios-dgm          NetBIOS DGM

  netbios-ns           NetBIOS name service

  netbios-ssn          NetBIOS session service

  nfsd                 Network File System

  nntp                 Network News Transport Protocol

  ntalk                New Talk

  ntp                  Network Time Protocol

  pop3                 Post Office Protocol 3

  pptp                 Point-to-Point Tunneling Protocol

  printer              Printer

  radacct              RADIUS accounting

  radius               RADIUS authentication

  rip                  Routing Information Protocol

  rkinit               Kerberos remote kinit

  smtp                 Simple Mail Transfer Protocol

  snmp                 Simple Network Management Protocol

  snmptrap             SNMP traps

  snpp                 Simple paging protocol

  socks                Socks

  ssh                  Secure shell

  sunrpc               Sun Microsystems remote procedure call

  syslog               System log

  tacacs               TACACS or TACACS+

  tacacs-ds            TACACS-DS

  talk                 UNIX Talk

  telnet               Telnet

  tftp                 Trivial FTP

  timed                UNIX time daemon

  who                  UNIX rwho

  xdmcp                X Display Manager Control Protocol

  zephyr-clt           Zephyr serv-hm connection

  zephyr-hm            Zephyr hostmanager

  zephyr-srv           Zephyr server

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-telnet from destination-port telnet

 

jadmin@JR2# set term block-telnet then ?

Possible completions:

  accept               Accept the packet

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  count                Count the packet in the named counter

> discard              Discard the packet

  forwarding-class     Classify packet to forwarding class

  ipsec-sa             Use specified IPSec security association

  log                  Log the packet

> logical-system       Packets are directed to specified logical system

  loss-priority        Packet's loss priority

  next                 Continue to next term in a filter

  policer              Name of policer to use to rate-limit traffic

  port-mirror          Port-mirror the packet

  prefix-action        Police or count packets using named prefix action

> reject               Reject the packet

> routing-instance     Packets are directed to specified routing instance

  sample               Sample the packet

  service-accounting   Count the packets for service accounting

  service-filter-hit   Marked when packet processing by the current type of chai

ned filters is done, the packet is directed to the next type of filters

  syslog               System log (syslog) information about the packet

> three-color-policer  Police the packet using a three-color-policer

  topology             Packets are directed to specified topology

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-telnet then discard

 

jadmin@JR2# set term block-icmp from protocol icmp

 

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-icmp from icmp-type ?

Possible completions:

  <range>              Range of values

  [                    Open a set of values

  echo-reply           Echo reply

  echo-request         Echo request

  info-reply           Informational reply

  info-request         Informational request

  mask-reply           Mask reply

  mask-request         Mask request

  parameter-problem    Parameter problem

  redirect             Redirect

  router-advertisement  Router advertisement

  router-solicit       Router solicit

  source-quench        Source quench

  time-exceeded        Time exceeded

  timestamp            Timestamp

  timestamp-reply      Timestamp reply

  unreachable          Unreachable

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# set term block-icmp from icmp-type echo-request

 

jadmin@JR2# set term block-icmp then discard

 

jadmin@JR2# set term else-accept then accept

 

jadmin@JR2# show

term block-telnet {

    from {

        protocol tcp;

        destination-port telnet;

    }

    then {

        discard;

    }

}

term block-icmp {

    from {

        protocol icmp;

        icmp-type echo-request;

    }

    then {

        discard;

    }

}

term else-accept {

    then accept;

}

 

 

[edit firewall family inet filter input-filter-lo0]

jadmin@JR2# top edit interfaces lo0.0

 

[edit interfaces lo0 unit 0]

jadmin@JR2# set family inet ?

Possible completions:

  <[Enter]>            Execute this command

> address              Interface address/destination prefix

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> filter               Packet filtering

  no-neighbor-learn    Disable neighbor address learning on interface

  no-redirects         Do not redirect traffic

> policer              Interface policing

  primary              Candidate for primary interface in system

> unnumbered-address   Unnumbered interface address/destination prefix

  |                    Pipe through a command

[edit interfaces lo0 unit 0]

jadmin@JR2# set family inet filter ?

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  group                Group to which interface belongs (1..255)

> input                Filter to be applied to received packets

+ input-list           List of filter modules applied to received packets

> output               Filter to be applied to transmitted packets

+ output-list          List of filter modules applied to transmitted packets

[edit interfaces lo0 unit 0]

jadmin@JR2# set family inet filter input ?

Possible completions:

  input-filter-lo0     [firewall family inet filter]

[edit interfaces lo0 unit 0]

jadmin@JR2# set family inet filter input input-filter-lo0

 

[edit interfaces lo0 unit 0]

jadmin@JR2# show

family inet {

    filter {

        input input-filter-lo0;

    }

    address 172.20.2.1/32;

}

 

 

[edit interfaces lo0 unit 0]

jadmin@JR2# commit and-quit

commit complete

Exiting configuration mode

 

 

I tested again with the Firewall Filter policy applied on JR2. Notice only SSH traffic was allowed.

 

jadmin@JR1> ping 172.20.2.1

PING 172.20.2.1 (172.20.2.1): 56 data bytes

^C

--- 172.20.2.1 ping statistics ---

4 packets transmitted, 0 packets received, 100% packet loss

 

 

jadmin@JR1> telnet 172.20.2.1

Trying 172.20.2.1...

^C

 

 

jadmin@JR1> ssh 172.20.2.1

Juniper VM Lab - JR2

jadmin@172.20.2.1's password:

--- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC

 

 

Below are the configurations for JR1 and JR2, repsectively.

 

JR2

 

edit firewall family inet filter input-filter-lo0

 

set term block-telnet from protocol tcp

 

set term block-telnet from destination-port telnet

 

set term block-telnet then discard

 

 

set term block-icmp from protocol icmp

 

set term block-icmp from icmp-type echo-request

 

set term block-icmp then discard

 

 

set term else-accept then accept

 

show

 

 

edit interfaces lo0.0

 

set family inet filter input input-filter-lo0

 

show

 

commit and-quit

 

 

show firewall counter filter input-filter-lo0 inbound-discarded

 

show firewall log

 

 

 

JR1

 

ping 172.20.2.1

 

telnet 172.20.2.1

 

ssh 172.20.2.1

 

 

No comments:

Post a Comment