Firewall Filters (ACL in Cisco)
The Junos OS firewall filters are stateless in nature and primarily used to control traffic passing (transit) through the device. Stateless firewall filters examine each packet individually and has no concept of connections (stateful). Since stateless firewall filters doesn't keep stateful connection info, you must explicitly allow traffic in both directions for each connection to be permitted. By contrast, stateful firewall filters only require to permit the initial connection and it will automatically permit bidirectional traffic.
Building Blocks of Firewall Filters
Routing policies and firewall filters have the same common structure but serve different purposes and have different match (from) and action (then) conditions.
As with routing policy, the fundamental building block of a firewall filter is a term. A firewall filter require at least one term. A term contains zero or more match conditions and one or more actions. If all the match conditions are true, the Junos OS takes the specified action within the term. If no match conditions are specified, all traffic matches the firewall filter term and is subjected to the stated action.
A firewall filter always include a default term that discards all packets and does not explicitly permit through the defined terms (implicit deny in Cisco ACL). The order of the terms is very important and can impact the results.
The processing of fragments is more complicated with stateless firewall filter vs stateful firewall filter. The first fragment should have all the Layer 4 headers (TCP/UDP) but subsequent fragments will not. Attempting to check Layer 4 headers in fragments can produce unpredictable results. The Junos OS can still evaluate Layer 4 headers but the second and subsequent fragments do not contain these header info, so matches are unpredictable.
Categories of Match Conditions
Match conditions fall into 3 categories:
- Numeric range
- Address
- Bit-field match
A text synonym match conditions is equivalent to one or more match conditions. For example, the tcp-established match condition is a text synonym (alias) for the tcp-flag ack or the tcp-flag rst match conditions.
Common Actions
Common firewall filter actions include terminating actions, flow control and action modifiers. Note that when you apply a firewall filter and it does not explicitly allow traffic through one of the define terms, it discards traffic by default (silently drop packet without sending an ICMP unreachable message).
Terminating Actions:
- accept
- discard
- reject
Flow Control:
- next term
- next filter
Action Modifiers:
- count, log and syslog
- forwarding-class and loss-priority
- policer
Defining a Firewall Filter
Implementing a firewall filter has two steps:
- Define the firewall filter under the edit firewall hierarchy level. Because the Junos OS supports multiple protocol families, you should define under the appropriate family hierarchy level, i.e. edit firewall family inet for IPv4
- Apply the firewall filter to the interfaces or lo0 logical interface if destined for the system
The Junos OS does not create automatic "holes" in the lo0 firewall filter, therefore in addition to allowing management traffic, you should also allow the routing protocol and other control traffic to reach the Routing Engine (RE). The implicit silent discard, which discards traffic not explicitly allowed in a term can cause an undesirable effect.
jadmin@JR-1> configure
Entering configuration mode
Users currently editing the configuration:
jadmin terminal v0 (pid 1480) on since 2020-10-21 12:35:46 SGT, idle 06:10:55
[edit]
jadmin terminal p0 (pid 5402) on since 2020-10-21 12:54:35 SGT, idle 05:27:06
[edit protocols ospf]
The configuration has been changed but not committed
[edit]
jadmin@JR-1# edit firewall ?
Possible completions:
<[Enter]> Execute this command
> family Protocol family
> filter Define an IPv4 firewall filter
> hierarchical-policer Hierarchical policer template definition
> interface-set Interface set definition
> policer Policer template definition
> three-color-policer Three-color policer
| Pipe through a command
[edit]
jadmin@JR-1# edit firewall family ?
Possible completions:
> any Protocol-independent filter
> ccc Protocol family CCC for firewall filter
> inet Protocol family IPv4 for firewall filter
> inet6 Protocol family IPv6 for firewall filter
> mpls Protocol family MPLS for firewall filter
> vpls Protocol family VPLS for firewall filter
[edit]
jadmin@JR-1# edit firewall family inet
[edit firewall family inet]
jadmin@JR-1# set filter ?
Possible completions:
<filter-name> Filter name
[edit firewall family inet]
jadmin@JR-1# set filter block-in ?
Possible completions:
+ accounting-profile Accounting profile name
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
interface-specific Defined counters are interface specific
> term Define a firewall term
[edit firewall family inet]
jadmin@JR-1# set filter block-in term ?
Possible completions:
<rule-name> Term name
[edit firewall family inet]
jadmin@JR-1# set filter block-in term block-source ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
filter Filter to include
> from Define match criteria
> then Action to take if the 'from' condition is matched
[edit firewall family inet]
jadmin@JR-1# set filter block-in term block-source from ?
Possible completions:
> address Match IP source or destination address
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
+ destination-port Match TCP/UDP destination port
+ destination-port-except Do not match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dscp Match Differentiated Services (DiffServ) code point
+ dscp-except Do not match Differentiated Services (DiffServ) code poin
t
+ esp-spi Match IPSec ESP SPI value
+ esp-spi-except Do not match IPSec ESP SPI value
first-fragment Match if packet is the first fragment
+ forwarding-class Match forwarding class
+ forwarding-class-except Do not match forwarding class
fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingr
ess only)
+ fragment-offset Match fragment offset
+ fragment-offset-except Do not match fragment offset
+ icmp-code Match ICMP message code
+ icmp-code-except Do not match ICMP message code
+ icmp-type Match ICMP message type
+ icmp-type-except Do not match ICMP message type
> interface Match interface name
+ interface-group Match interface group
+ interface-group-except Do not match interface group
> interface-set Match interface in set
+ ip-options Match IP options
+ ip-options-except Do not match IP options
is-fragment Match if packet is a fragment
+ packet-length Match packet length
+ packet-length-except Do not match packet length
+ port Match TCP/UDP source or destination port
+ port-except Do not match TCP/UDP source or destination port
+ precedence Match IP precedence value
+ precedence-except Do not match IP precedence value
> prefix-list Match IP source or destination prefixes in named list
+ protocol Match IP protocol type
+ protocol-except Do not match IP protocol type
service-filter-hit Match if service-filter-hit is set
> source-address Match IP source address
+ source-port Match TCP/UDP source port
+ source-port-except Do not match TCP/UDP source port
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats)
tcp-initial Match initial packet of a TCP connection
+ ttl Match IP ttl type
+ ttl-except Do not match IP ttl type
[edit firewall family inet]
jadmin@JR-1# set filter block-in term block-source from source-address ?
Possible completions:
<address> Prefix to match
[edit firewall family inet]
jadmin@JR-1# set filter block-in term block-source from source-address 10.10.10.0/24
jadmin@JR-1# set filter block-in term block-source then ?
Possible completions:
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
count Count the packet in the named counter
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
log Log the packet
> logical-system Packets are directed to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a filter
policer Name of policer to use to rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
> routing-instance Packets are directed to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current type of chai
ned filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information about the packet
> three-color-policer Police the packet using a three-color-policer
topology Packets are directed to specified topology
[edit firewall family inet]
jadmin@JR-1# set filter block-in term block-source then count ?
Possible completions:
<count> Count the packet in the named counter
[edit firewall family inet]
jadmin@JR-1# set filter block-in term block-source then count spoof-ip ?
Possible completions:
<[Enter]> Execute this command
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
log Log the packet
> logical-system Packets are directed to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a filter
policer Name of policer to use to rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
> routing-instance Packets are directed to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current type of chai
ned filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information about the packet
> three-color-policer Police the packet using a three-color-policer
topology Packets are directed to specified topology
| Pipe through a command
[edit firewall family inet]
jadmin@JR-1# set filter block-in term block-source then count spoof-ip discard
jadmin@JR-1# set filter block-in term allow-other then accept
[edit firewall family inet]
jadmin@JR-1# show
filter block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
[edit firewall family inet]
[edit firewall family inet]
jadmin@JR-1# top edit interfaces em0
[edit interfaces em0]
jadmin@JR-1# set unit 0 family inet ?
Possible completions:
<[Enter]> Execute this command
> accounting Configure interface-based accounting options
> address Interface address/destination prefix
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> filter Packet filtering
mac-validate Validate source MAC address
mtu Protocol family maximum transmission unit
no-neighbor-learn Disable neighbor address learning on interface
no-redirects Do not redirect traffic
> policer Interface policing
primary Candidate for primary interface in system
> rpf-check Enable reverse-path-forwarding checks on this interface
> sampling Interface sampling
> service Service operations
> unnumbered-address Unnumbered interface address/destination prefix
| Pipe through a command
[edit interfaces em0]
jadmin@JR-1# set unit 0 family inet filter ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
group Group to which interface belongs (1..255)
> input Filter to be applied to received packets
+ input-list List of filter modules applied to received packets
> output Filter to be applied to transmitted packets
+ output-list List of filter modules applied to transmitted packets
[edit interfaces em0]
jadmin@JR-1# set unit 0 family inet filter input ?
Possible completions:
block-in [firewall family inet filter]
[edit interfaces em0]
jadmin@JR-1# set unit 0 family inet filter input block-in
[edit interfaces em0]
jadmin@JR-1# set unit 0 family inet filter output ?
Possible completions:
block-in [firewall family inet filter]
[edit interfaces em0]
jadmin@JR-1# set unit 0 family inet filter output block-out
[edit interfaces em0]
jadmin@JR-1# show
unit 0 {
family inet {
filter {
input block-in;
output block-out; ## reference 'block-out' not found
}
address 10.1.1.1/24;
}
}
[edit interfaces em0]
jadmin@JR-1# commit ?
Possible completions:
<[Enter]> Execute this command
and-quit Quit configuration mode if commit succeeds
at Time at which to activate configuration changes
check Check correctness of syntax; do not apply changes
comment Message to write to commit log
confirmed Automatically rollback if not confirmed
| Pipe through a command
[edit interfaces em0]
jadmin@JR-1# commit confirmed // TO AVOID BEING LOCKED OUT USE commit confirmed
The firewall filter example allows HTTP/web traffic to the destination host IP 192.168.1.100/32 and discard other web traffic.
[edit interfaces em0]
jadmin@JR-1# top edit firewall family inet
[edit firewall family inet]
jadmin@JR-1# set filter web-in term allow-http from destination-address ?
Possible completions:
<address> Prefix to match
[edit firewall family inet]
jadmin@JR-1# set filter web-in term allow-http from destination-address 192.168.1.100/32
jadmin@JR-1# set filter web-in term allow-http from protocol ?
Possible completions:
<range> Range of values
[ Open a set of values
ah IP Security authentication header
dstopts IPv6 destination options
egp Exterior gateway protocol
esp IPSec Encapsulating Security Payload
fragment IPv6 fragment header
gre Generic routing encapsulation
hop-by-hop IPv6 hop-by-hop options
icmp Internet Control Message Protocol
icmp6 Internet Control Message Protocol Version 6
igmp Internet Group Management Protocol
ipip IP in IP
ipv6 IPv6 in IP
no-next-header IPv6 no next header
ospf Open Shortest Path First
pim Protocol Independent Multicast
routing IPv6 routing header
rsvp Resource Reservation Protocol
sctp Stream Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
vrrp Virtual Router Redundancy Protocol
[edit firewall family inet]
jadmin@JR-1# set filter web-in term allow-http from protocol tcp ?
Possible completions:
<[Enter]> Execute this command
> address Match IP source or destination address
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
+ destination-port Match TCP/UDP destination port
+ destination-port-except Do not match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dscp Match Differentiated Services (DiffServ) code point
+ dscp-except Do not match Differentiated Services (DiffServ) code poin
t
+ esp-spi Match IPSec ESP SPI value
+ esp-spi-except Do not match IPSec ESP SPI value
first-fragment Match if packet is the first fragment
+ forwarding-class Match forwarding class
+ forwarding-class-except Do not match forwarding class
fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingr
ess only)
+ fragment-offset Match fragment offset
+ fragment-offset-except Do not match fragment offset
+ icmp-code Match ICMP message code
+ icmp-code-except Do not match ICMP message code
+ icmp-type Match ICMP message type
+ icmp-type-except Do not match ICMP message type
> interface Match interface name
+ interface-group Match interface group
+ interface-group-except Do not match interface group
> interface-set Match interface in set
+ ip-options Match IP options
+ ip-options-except Do not match IP options
is-fragment Match if packet is a fragment
+ packet-length Match packet length
+ packet-length-except Do not match packet length
+ port Match TCP/UDP source or destination port
+ port-except Do not match TCP/UDP source or destination port
+ precedence Match IP precedence value
+ precedence-except Do not match IP precedence value
> prefix-list Match IP source or destination prefixes in named list
+ protocol Match IP protocol type
+ protocol-except Do not match IP protocol type
service-filter-hit Match if service-filter-hit is set
> source-address Match IP source address
+ source-port Match TCP/UDP source port
+ source-port-except Do not match TCP/UDP source port
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats)
tcp-initial Match initial packet of a TCP connection
+ ttl Match IP ttl type
+ ttl-except Do not match IP ttl type
| Pipe through a command
[edit firewall family inet]
jadmin@JR-1# set filter web-in term allow-http from protocol tcp port ?
Possible completions:
<range> Range of values
[ Open a set of values
afs AFS
bgp Border Gateway Protocol
biff Biff/Comsat
bootpc Bootstrap protocol client
bootps Bootstrap protocol server
cmd UNIX rsh
cvspserver CVS pserver
dhcp Dynamic Host Configuration Protocol
domain Domain Name System (DNS)
eklogin Encrypted Kerberos rlogin
ekshell Encrypted Kerberos rsh
exec UNIX rexec
finger Finger
ftp FTP
ftp-data FTP data
http Hypertext Transfer Protocol
https Secure HTTP
ident Ident
imap Internet Message Access Protocol
kerberos-sec Kerberos Security
klogin Kerberos rlogin
kpasswd Kerberos passwd
krb-prop Kerberos database propagation
krbupdate Kerberos database update
kshell Kerberos rsh
ldap Lightweight Directory Access Protocol
ldp Label Distribution Protocol
login UNIX rlogin
mobileip-agent Mobile IP agent
mobilip-mn Mobile IP MN
msdp Multicast Source Discovery Protocol
netbios-dgm NetBIOS DGM
netbios-ns NetBIOS name service
netbios-ssn NetBIOS session service
nfsd Network File System
nntp Network News Transport Protocol
ntalk New Talk
ntp Network Time Protocol
pop3 Post Office Protocol 3
pptp Point-to-Point Tunneling Protocol
printer Printer
radacct RADIUS accounting
radius RADIUS authentication
rip Routing Information Protocol
rkinit Kerberos remote kinit
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP traps
snpp Simple paging protocol
socks Socks
ssh Secure shell
sunrpc Sun Microsystems remote procedure call
syslog System log
tacacs TACACS or TACACS+
tacacs-ds TACACS-DS
talk UNIX Talk
telnet Telnet
tftp Trivial FTP
timed UNIX time daemon
who UNIX rwho
xdmcp X Display Manager Control Protocol
zephyr-clt Zephyr serv-hm connection
zephyr-hm Zephyr hostmanager
zephyr-srv Zephyr server
[edit firewall family inet]
jadmin@JR-1# set filter web-in term allow-http from protocol tcp port http
jadmin@JR-1# set filter web-in term block-other-http from protocol tcp port http
jadmin@JR-1# set filter web-in term block-other-http then discard
jadmin@JR-1# show
filter block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
filter web-in {
term allow-http {
from {
destination-address {
192.168.1.100/32;
}
protocol tcp;
port http;
}
}
term block-other-http {
from {
protocol tcp;
port http;
}
then {
discard;
}
}
}
[edit firewall family inet]
The firewall filter example limits SSH traffic to the Routing Engine (RE).
[edit firewall family inet]
jadmin@JR-1# set filter limit-ssh-re term allow-ssh from source-prefix-list ?
Possible completions:
<name> Prefix list to match
[edit firewall family inet]
jadmin@JR-1# set filter limit-ssh-re term allow-ssh from source-prefix-list trust-ssh-list
jadmin@JR-1# set filter limit-ssh-re term allow-ssh from protocol tcp
jadmin@JR-1# set filter limit-ssh-re term allow-ssh from destination-port ssh
jadmin@JR-1# set filter limit-ssh-re term block-ssh from protocol tcp
jadmin@JR-1# set filter limit-ssh-re term block-ssh from destination-port ssh
jadmin@JR-1# set filter limit-ssh-re term block-ssh then discard
jadmin@JR-1# set filter limit-ssh-re term else-allow then accept
jadmin@JR-1# show
filter block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
filter web-in {
term allow-http {
from {
destination-address {
192.168.1.100/32;
}
protocol tcp;
port http;
}
}
term block-other-http {
from {
protocol tcp;
port http;
}
then {
discard;
}
}
}
filter limit-ssh-re {
term allow-ssh {
from {
source-prefix-list {
trust-ssh-list; ## 'trust-ssh-list' is not defined
}
protocol tcp;
destination-port ssh;
}
}
term block-ssh {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term else-allow { // ALLOW OTHER TRAFFIC: ROUTING PROTOCOL AND MANAGEMENT TRAFFIC TO RE (SNMP, NTP, ETC)
then accept;
}
}
[edit firewall family inet]
[edit firewall family inet]
jadmin@JR-1# top edit interfaces lo0
jadmin@JR-1# set unit 0 family inet filter input ?
Possible completions:
block-in [firewall family inet filter]
limit-ssh-re [firewall family inet filter]
web-in [firewall family inet filter]
[edit interfaces lo0]
jadmin@JR-1# set unit 0 family inet filter input limit-ssh-re
[edit interfaces lo0]
jadmin@JR-1# show
unit 0 {
family inet {
filter {
input limit-ssh-re;
}
}
}
Policing
Firewall filters can also police or rate-limit traffic passing into or out of an interface. The Junos OS policing employs the token-bucket algorithm, which enforces a limit on average bandwidth while allowing bursts up to a specified maximum value. You can configure two rate limits for the traffic: bandwidth, which is the number of bits per second permitted on average, and maximum burst size, which defines the total number of bytes the system allows in bursts of data that exceed the given bandwidth limit.
The preferred method for determining the maximum burst size is to multiply the speed of interface by the amount of time bursts that you want to allow at that bandwidth level:
Burst size = bandwidth (100,000,000 bits per second) x allowable burst time (5/1000s, 5ms) = 500,000 bits
= 500,000 bits / 8 (to convert into bytes) = 62500 bytes
You specify the bandwidth as a number of bits using the bandwidth-limit statement. You specify the maximum burst size as a number of bytes using the burst-size-limit statement.
You can use the k (kbs), m (mbps) and g (gbps) to indicate one thousand, one million and one billion bytes or bits, respectively.
[edit interfaces lo0]
jadmin@JR-1# top edit firewall
[edit firewall]
jadmin@JR-1# set policer ?
Possible completions:
<policer-name> Policer name
[edit firewall]
jadmin@JR-1# set policer police-10m ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
filter-specific Policer is filter-specific
> if-exceeding Define rate limits
logical-bandwidth-policer Policer uses logical interface bandwidth
logical-interface-policer Policer is logical interface policer
> then Action to take if the rate limits are exceeded
[edit firewall]
jadmin@JR-1# set policer police-10m if-exceeding ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
bandwidth-limit Bandwidth limit (32000..50000000000 bits per second)
bandwidth-percent Bandwidth limit in percentage (1..100 percent)
burst-size-limit Burst size limit (1500..100000000000 bytes)
| Pipe through a command
[edit firewall]
jadmin@JR-1# set policer police-10m if-exceeding bandwidth-limit ?
Possible completions:
<bandwidth-limit> Bandwidth limit (32000..50000000000 bits per second)
[edit firewall]
jadmin@JR-1# set policer police-10m if-exceeding bandwidth-limit 10m
jadmin@JR-1# set policer police-10m if-exceeding burst-size-limit ?
Possible completions:
<burst-size-limit> Burst size limit (1500..100000000000 bytes)
[edit firewall]
jadmin@JR-1# set policer police-10m if-exceeding burst-size-limit 62500
jadmin@JR-1# set policer police-10m then ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
discard Discard the packet
forwarding-class Classify packet to forwarding class
loss-priority Packet's loss priority
[edit firewall]
jadmin@JR-1# set policer police-10m then forwarding-class ?
Possible completions:
<forwarding-class> Classify packet to forwarding class
assured-forwarding
best-effort
expedited-forwarding
network-control
[edit firewall]
jadmin@JR-1# set policer police-10m then forwarding-class best-effort
jadmin@JR-1# set family inet?
Possible completions:
> inet Protocol family IPv4 for firewall filter
> inet6 Protocol family IPv6 for firewall filter
[edit firewall]
jadmin@JR-1# set family inet ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> filter Define an IPv4 firewall filter
> prefix-action Define a prefix action
> service-filter One or more IPv4 service filters
[edit firewall]
jadmin@JR-1# set family inet filter ?
Possible completions:
<filter-name> Filter name
block-in Filter name
limit-ssh-re Filter name
web-in Filter name
[edit firewall]
jadmin@JR-1# set family inet filter police-filter ?
Possible completions:
+ accounting-profile Accounting profile name
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
interface-specific Defined counters are interface specific
> term Define a firewall term
[edit firewall]
jadmin@JR-1# set family inet filter police-filter term police-tcp from protocol tcp
jadmin@JR-1# set family inet filter police-filter term police-tcp then ?
Possible completions:
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
count Count the packet in the named counter
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
log Log the packet
> logical-system Packets are directed to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a filter
policer Name of policer to use to rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
> routing-instance Packets are directed to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current type of chai
ned filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information about the packet
> three-color-policer Police the packet using a three-color-policer
topology Packets are directed to specified topology
[edit firewall]
jadmin@JR-1# set family inet filter police-filter term police-tcp then ?
Possible completions:
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
count Count the packet in the named counter
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
log Log the packet
> logical-system Packets are directed to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a filter
policer Name of policer to use to rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
> routing-instance Packets are directed to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current type of chai
ned filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information about the packet
> three-color-policer Police the packet using a three-color-policer
topology Packets are directed to specified topology
[edit firewall]
jadmin@JR-1# set family inet filter police-filter term police-tcp then policer ?
Possible completions:
<policer> Name of policer to use to rate-limit traffic
police-10m
[edit firewall]
jadmin@JR-1# set family inet filter police-filter term police-tcp then policer police-10m
jadmin@JR-1# set family inet filter police-filter term police-tcp then ?
Possible completions:
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
count Count the packet in the named counter
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
log Log the packet
> logical-system Packets are directed to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a filter
policer Name of policer to use to rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
> routing-instance Packets are directed to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current type of chai
ned filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information about the packet
> three-color-policer Police the packet using a three-color-policer
topology Packets are directed to specified topology
[edit firewall]
jadmin@JR-1# set family inet filter police-filter term police-tcp then forwarding-class ?
Possible completions:
<forwarding-class> Classify packet to forwarding class
assured-forwarding
best-effort
expedited-forwarding
network-control
[edit firewall]
jadmin@JR-1# set family inet filter police-filter term police-tcp then forwarding-class assured-forwarding
jadmin@JR-1# set family inet filter police-filter term police-tcp then accept
[edit firewall]
jadmin@JR-1# show
family inet {
filter block-in {
term block-source {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-ip;
discard;
}
}
term allow-other {
then accept;
}
}
filter web-in {
term allow-http {
from {
destination-address {
192.168.1.100/32;
}
protocol tcp;
port http;
}
}
term block-other-http {
from {
protocol tcp;
port http;
}
then {
discard;
}
}
}
filter limit-ssh-re {
term allow-ssh {
from {
source-prefix-list {
trust-ssh-list; ## 'trust-ssh-list' is not defined
}
protocol tcp;
destination-port ssh;
}
}
term block-ssh {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term else-allow {
then accept;
}
}
filter police-filter {
term police-tcp {
from {
protocol tcp;
}
then {
policer police-10m;
forwarding-class assured-forwarding;
accept;
}
}
}
}
policer police-10m {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 62500;
}
then forwarding-class best-effort;
}
[edit firewall]
Automated Antispoof Filters (Unicast Reverse Path Forwarding - uRPF)
The unicast reverse path-forwarding (uRPF) validates receipt packet on interfaces where the system would expect to receive such traffic. By default, the Junos OS expects to receive traffic on a given interface if it has an active route to the packet's source address and if it received the packet on the interface that is the next hop for the active route to the packet's source address. You typically configure uRPF on an edge device.
Activating uRPF increases Packet Forwarding Engine (PFE) memory usage since the Junos OS accomplishes unicast RPF checks by downloading additional information to the PFE.
By default, the Junos OS runs the strict mode RFP check. You can also use loose mode RPF checks to only check a valid route to the source address exist in the routing table. In general, the strict mode provides the best results.
By default, the Junos OS only checks for active paths to a given destination which can cause legitimate traffic to be dropped when multiple network path exists (asymmetric routing). Use the feasible-paths option to consider all feasible paths.
[edit firewall]
jadmin@JR-1# top edit routing-options
[edit routing-options]
jadmin@JR-1# set forwarding-table ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
+ export Export policy
indexed-next-hop Krt new style indexed nexthop
indirect-next-hop Install indirect next hops in Packet Forwarding Engine
no-indirect-next-hop Don't install indirect next hops in Packet Forwarding En
gine
unicast-reverse-path Unicast reverse path (RP) verification
[edit routing-options]
jadmin@JR-1# set forwarding-table unicast-reverse-path ?
Possible completions:
active-paths Consider active paths when performing RP verification
feasible-paths Consider all feasible paths for RP verification
[edit routing-options]
jadmin@JR-1# set forwarding-table unicast-reverse-path feasible-paths
[edit routing-options]
jadmin@JR-1# show
forwarding-table {
unicast-reverse-path feasible-paths;
}
[edit routing-options]
Case Study: Stateless Firewall Filter
I initially tested ping, Telnet and SSH connectivity from JR1 to JR2.
jadmin@JR1> ping 172.20.2.1 count 5 rapid
PING 172.20.2.1 (172.20.2.1): 56 data bytes
!!!!!
--- 172.20.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.311/0.338/0.388/0.028 ms
jadmin@JR1> telnet 172.20.2.1
Trying 172.20.2.1...
Connected to 172.20.2.1.
Escape character is '^]'.
Juniper VM Lab - JR2
JR2 (ttyp1)
login: jadmin
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC
jadmin@JR2>
jadmin@JR1> ssh 172.20.2.1
The authenticity of host '172.20.2.1 (172.20.2.1)' can't be established.
ECDSA key fingerprint is 88:71:b7:cc:81:e6:65:d5:27:fc:7b:13:7a:18:51:ef.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.20.2.1' (ECDSA) to the list of known hosts.
Juniper VM Lab - JR2
jadmin@172.20.2.1's password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC
jadmin@JR2>
jadmin@JR2> configure
Entering configuration mode
Users currently editing the configuration:
root terminal v0 (pid 1482) on since 2020-10-25 10:39:29 UTC, idle 01:40:00
[edit system login]
[edit]
jadmin@JR2# edit firewall ?
Possible completions:
<[Enter]> Execute this command
> family Protocol family
> filter Define an IPv4 firewall filter
> hierarchical-policer Hierarchical policer template definition
> interface-set Interface set definition
> policer Policer template definition
> three-color-policer Three-color policer
| Pipe through a command
[edit]
jadmin@JR2# edit firewall family ?
Possible completions:
> any Protocol-independent filter
> ccc Protocol family CCC for firewall filter
> inet Protocol family IPv4 for firewall filter
> inet6 Protocol family IPv6 for firewall filter
> mpls Protocol family MPLS for firewall filter
> vpls Protocol family VPLS for firewall filter
[edit]
jadmin@JR2# edit firewall family inet ?
Possible completions:
<[Enter]> Execute this command
> filter Define an IPv4 firewall filter
> prefix-action Define a prefix action
> service-filter One or more IPv4 service filters
| Pipe through a command
[edit]
jadmin@JR2# edit firewall family inet filter ?
Possible completions:
<filter-name> Filter name
[edit]
jadmin@JR2# edit firewall family inet filter input-filter-lo0
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term ?
Possible completions:
<rule-name> Term name
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-telnet ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
filter Filter to include
> from Define match criteria
> then Action to take if the 'from' condition is matched
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-telnet from ?
Possible completions:
> address Match IP source or destination address
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
+ destination-port Match TCP/UDP destination port
+ destination-port-except Do not match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dscp Match Differentiated Services (DiffServ) code point
+ dscp-except Do not match Differentiated Services (DiffServ) code poin
t
+ esp-spi Match IPSec ESP SPI value
+ esp-spi-except Do not match IPSec ESP SPI value
first-fragment Match if packet is the first fragment
+ forwarding-class Match forwarding class
+ forwarding-class-except Do not match forwarding class
fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingr
ess only)
+ fragment-offset Match fragment offset
+ fragment-offset-except Do not match fragment offset
+ icmp-code Match ICMP message code
+ icmp-code-except Do not match ICMP message code
+ icmp-type Match ICMP message type
+ icmp-type-except Do not match ICMP message type
> interface Match interface name
+ interface-group Match interface group
+ interface-group-except Do not match interface group
> interface-set Match interface in set
+ ip-options Match IP options
+ ip-options-except Do not match IP options
is-fragment Match if packet is a fragment
+ packet-length Match packet length
+ packet-length-except Do not match packet length
+ port Match TCP/UDP source or destination port
+ port-except Do not match TCP/UDP source or destination port
+ precedence Match IP precedence value
+ precedence-except Do not match IP precedence value
> prefix-list Match IP source or destination prefixes in named list
+ protocol Match IP protocol type
+ protocol-except Do not match IP protocol type
service-filter-hit Match if service-filter-hit is set
> source-address Match IP source address
+ source-port Match TCP/UDP source port
+ source-port-except Do not match TCP/UDP source port
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats)
tcp-initial Match initial packet of a TCP connection
+ ttl Match IP ttl type
+ ttl-except Do not match IP ttl type
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-telnet from protocol ?
Possible completions:
<range> Range of values
[ Open a set of values
ah IP Security authentication header
dstopts IPv6 destination options
egp Exterior gateway protocol
esp IPSec Encapsulating Security Payload
fragment IPv6 fragment header
gre Generic routing encapsulation
hop-by-hop IPv6 hop-by-hop options
icmp Internet Control Message Protocol
icmp6 Internet Control Message Protocol Version 6
igmp Internet Group Management Protocol
ipip IP in IP
ipv6 IPv6 in IP
no-next-header IPv6 no next header
ospf Open Shortest Path First
pim Protocol Independent Multicast
routing IPv6 routing header
rsvp Resource Reservation Protocol
sctp Stream Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
vrrp Virtual Router Redundancy Protocol
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-telnet from protocol tcp
jadmin@JR2# set term block-telnet from destination-port ?
Possible completions:
<range> Range of values
[ Open a set of values
afs AFS
bgp Border Gateway Protocol
biff Biff/Comsat
bootpc Bootstrap protocol client
bootps Bootstrap protocol server
cmd UNIX rsh
cvspserver CVS pserver
dhcp Dynamic Host Configuration Protocol
domain Domain Name System (DNS)
eklogin Encrypted Kerberos rlogin
ekshell Encrypted Kerberos rsh
exec UNIX rexec
finger Finger
ftp FTP
ftp-data FTP data
http Hypertext Transfer Protocol
https Secure HTTP
ident Ident
imap Internet Message Access Protocol
kerberos-sec Kerberos Security
klogin Kerberos rlogin
kpasswd Kerberos passwd
krb-prop Kerberos database propagation
krbupdate Kerberos database update
kshell Kerberos rsh
ldap Lightweight Directory Access Protocol
ldp Label Distribution Protocol
login UNIX rlogin
mobileip-agent Mobile IP agent
mobilip-mn Mobile IP MN
msdp Multicast Source Discovery Protocol
netbios-dgm NetBIOS DGM
netbios-ns NetBIOS name service
netbios-ssn NetBIOS session service
nfsd Network File System
nntp Network News Transport Protocol
ntalk New Talk
ntp Network Time Protocol
pop3 Post Office Protocol 3
pptp Point-to-Point Tunneling Protocol
printer Printer
radacct RADIUS accounting
radius RADIUS authentication
rip Routing Information Protocol
rkinit Kerberos remote kinit
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
snmptrap SNMP traps
snpp Simple paging protocol
socks Socks
ssh Secure shell
sunrpc Sun Microsystems remote procedure call
syslog System log
tacacs TACACS or TACACS+
tacacs-ds TACACS-DS
talk UNIX Talk
telnet Telnet
tftp Trivial FTP
timed UNIX time daemon
who UNIX rwho
xdmcp X Display Manager Control Protocol
zephyr-clt Zephyr serv-hm connection
zephyr-hm Zephyr hostmanager
zephyr-srv Zephyr server
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-telnet from destination-port telnet
jadmin@JR2# set term block-telnet then ?
Possible completions:
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
count Count the packet in the named counter
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
log Log the packet
> logical-system Packets are directed to specified logical system
loss-priority Packet's loss priority
next Continue to next term in a filter
policer Name of policer to use to rate-limit traffic
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
> routing-instance Packets are directed to specified routing instance
sample Sample the packet
service-accounting Count the packets for service accounting
service-filter-hit Marked when packet processing by the current type of chai
ned filters is done, the packet is directed to the next type of filters
syslog System log (syslog) information about the packet
> three-color-policer Police the packet using a three-color-policer
topology Packets are directed to specified topology
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-telnet then discard
jadmin@JR2# set term block-icmp from protocol icmp
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-icmp from icmp-type ?
Possible completions:
<range> Range of values
[ Open a set of values
echo-reply Echo reply
echo-request Echo request
info-reply Informational reply
info-request Informational request
mask-reply Mask reply
mask-request Mask request
parameter-problem Parameter problem
redirect Redirect
router-advertisement Router advertisement
router-solicit Router solicit
source-quench Source quench
time-exceeded Time exceeded
timestamp Timestamp
timestamp-reply Timestamp reply
unreachable Unreachable
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# set term block-icmp from icmp-type echo-request
jadmin@JR2# set term block-icmp then discard
jadmin@JR2# set term else-accept then accept
jadmin@JR2# show
term block-telnet {
from {
protocol tcp;
destination-port telnet;
}
then {
discard;
}
}
term block-icmp {
from {
protocol icmp;
icmp-type echo-request;
}
then {
discard;
}
}
term else-accept {
then accept;
}
[edit firewall family inet filter input-filter-lo0]
jadmin@JR2# top edit interfaces lo0.0
[edit interfaces lo0 unit 0]
jadmin@JR2# set family inet ?
Possible completions:
<[Enter]> Execute this command
> address Interface address/destination prefix
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> filter Packet filtering
no-neighbor-learn Disable neighbor address learning on interface
no-redirects Do not redirect traffic
> policer Interface policing
primary Candidate for primary interface in system
> unnumbered-address Unnumbered interface address/destination prefix
| Pipe through a command
[edit interfaces lo0 unit 0]
jadmin@JR2# set family inet filter ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
group Group to which interface belongs (1..255)
> input Filter to be applied to received packets
+ input-list List of filter modules applied to received packets
> output Filter to be applied to transmitted packets
+ output-list List of filter modules applied to transmitted packets
[edit interfaces lo0 unit 0]
jadmin@JR2# set family inet filter input ?
Possible completions:
input-filter-lo0 [firewall family inet filter]
[edit interfaces lo0 unit 0]
jadmin@JR2# set family inet filter input input-filter-lo0
[edit interfaces lo0 unit 0]
jadmin@JR2# show
family inet {
filter {
input input-filter-lo0;
}
address 172.20.2.1/32;
}
[edit interfaces lo0 unit 0]
jadmin@JR2# commit and-quit
commit complete
Exiting configuration mode
I tested again with the Firewall Filter policy applied on JR2. Notice only SSH traffic was allowed.
jadmin@JR1> ping 172.20.2.1
PING 172.20.2.1 (172.20.2.1): 56 data bytes
^C
--- 172.20.2.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
jadmin@JR1> telnet 172.20.2.1
Trying 172.20.2.1...
^C
jadmin@JR1> ssh 172.20.2.1
Juniper VM Lab - JR2
jadmin@172.20.2.1's password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC
Below are the configurations for JR1 and JR2, repsectively.
JR2
edit firewall family inet filter input-filter-lo0
set term block-telnet from protocol tcp
set term block-telnet from destination-port telnet
set term block-telnet then discard
set term block-icmp from protocol icmp
set term block-icmp from icmp-type echo-request
set term block-icmp then discard
set term else-accept then accept
show
edit interfaces lo0.0
set family inet filter input input-filter-lo0
show
commit and-quit
show firewall counter filter input-filter-lo0 inbound-discarded
show firewall log
JR1
ping 172.20.2.1
telnet 172.20.2.1
ssh 172.20.2.1
No comments:
Post a Comment