[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a Stateless Firewall Filter with a Configuration Editor

The section contains the following topics. For stateless firewall match conditions, actions, and modifiers, see Stateless Firewall Filter Match Conditions and Stateless Firewall Filter Actions and Action Modifiers.

Stateless Firewall Filter Strategies

For best results, use the following sections to plan the purpose and contents of a stateless firewall filter before starting configuration.

Strategy for a Typical Stateless Firewall Filter

A primary goal of a typical stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets. You can configure a firewall filter like the sample filter protect-RE to restrict traffic destined for the Routing Engine based on its source, protocol, and application. In addition, you can limit the traffic rate of packets destined for the Routing Engine to protect against flood, or denial-of-service (DoS), attacks.

For details, see Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources and Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods.

Strategy for Handling Packet Fragments

You can configure a stateless firewall filter like the sample filter fragment-filter to address special circumstances associated with fragmented packets destined for the Routing Engine. Because the device evaluates every packet against a firewall filter (including fragments), you must configure the filter to accommodate fragments that do not contain packet header information. Otherwise, the filter discards all but the first fragment of a fragmented packet.

For details, see Configuring a Routing Engine Firewall Filter to Handle Fragments.

Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources

The following example shows how to create a stateless firewall filter, protect-RE, that discards all traffic destined for the Routing Engine, except SSH and BGP protocol packets from specified trusted sources. Table 230 lists the terms that are configured in this sample filter.

Table 230: Sample Stateless Firewall Filter protect-RE Terms to Allow Packets from Trusted Sources

Term	Purpose
ssh-term	Accepts TCP packets with a source address of 192.168.122.0/24 and a destination port that specifies SSH.
bgp-term	Accepts TCP packets with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol.
discard-rest-term	For all packets that are not accepted by ssh-term or bgp-term, creates a firewall filter log and system logging records, then discards all packets. To view the log, enter the show firewall log operational mode command. (For more information, see Displaying Stateless Firewall Filter Logs.)

By applying firewall filter protect-RE to the Routing Engine, you specify which protocols and services, or applications, are allowed to reach the Routing Engine, and you ensure the packets are from a trusted source. This protects processes running on the Routing Engine from an external attack.

To use the configuration editor to configure the stateless firewall filter:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 231.
If you are finished configuring the router, commit the configuration.
Go on to one of the following procedures:
- To display the configuration, see Displaying Stateless Firewall Filter Configurations.
- To apply the firewall filter to the Routing Engine, see Applying a Stateless Firewall Filter to an Interface.
- To verify the firewall filter, see Verifying a Services, Protocols, and Trusted Sources Firewall Filter.

Table 231: Configuring a Protocols and Services Firewall Filter for the Routing Engine

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Firewall level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Firewall, click Configure or Edit.	From the [edit] hierarchy level, enter edit firewall
Define protect-RE and ssh-term, and define the protocol, destination port, and source address match conditions.	Next to Filter, click Add new entry. In the Filter name box, type protect-RE. Next to Term, click Add New Entry. In the Rule name box, type ssh-term. Next to From, click Configure. In the Protocol choice list, select Protocol. Next to Protocol, click Add new entry. In the Value keyword list, select tcp. Click OK. In the Destination port choice list, select Destination port. Next to Destination port, click Add new entry. In the Value keyword list, select ssh. Click OK. Next to Source address, click Add new entry. In the Address box, type 192.168.122.0/24. Click OK twice.	Set the term name and define the match conditions: set family inet filter protect-RE term ssh-term from protocol tcp destination-port ssh source-address 192.168.122.0/24
Define the actions for ssh-term.	On the Term ssh-term page, next to Then, click Configure. In the Designation list, select Accept. Click OK twice.	Set the actions: set family inet filter protect-RE term ssh-term then accept
Define bgp-term, and define the protocol, destination port, and source address match conditions.	On the Filter protect-RE page, next to Term, click Add New Entry. In the Rule name box, type bgp-term. Next to From, click Configure. In the Protocol choice list, select Protocol. Next to Protocol, click Add new entry. In the Value keyword list, select tcp. Click OK. In the Destination port choice list, select Destination port. Next to Destination port, click Add new entry. In the Value keyword list, select bgp. Click OK. Next to Source address, click Add new entry. In the Address box, type 10.2.1.0/24. Click OK twice.	Set the term name and define the match conditions: set family inet filter protect-RE term bgp-term from protocol tcp destination-port bgp source-address 10.2.1.0/24
Define the action for bgp-term.	On the Term bgp-term page, next to Then, click Configure. In the Designation list, select Accept. Click OK twice.	Set the action: set family inet filter protect-RE term bgp-term then accept
Define discard-rest-term and its action.	On the Filter protect-RE page, next to Term, click Add New Entry. In the Rule name box, type discard-rest-term. Next to Then, click Configure. Next to Log, select the check box. Next to Syslog, select the check box. In the Designation list, select Discard. Click OK four times.	Set the term name and define its actions: set family inet filter protect-RE term discard-rest-term then log syslog discard

Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods

The procedure in this section creates a sample stateless firewall filter, protect-RE, that limits certain TCP and ICMP traffic destined for the Routing Engine. A router without this kind of protection is vulnerable to TCP and ICMP flood attacks—also called denial-of-service (DoS) attacks. For example:

A TCP flood attack of SYN packets initiating connection requests can so overwhelm the device that it can no longer process legitimate connection requests, resulting in denial of service.
An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in denial of service.

Applying a firewall filter like protect-RE to the Routing Engine protects against these types of attacks.

For each term in the sample filter, you first create a policer and then incorporate it into the action of the term. For more information about firewall filter policers, see the JUNOS Policy Framework Configuration Guide.

If you want to include the terms created in this procedure in the protect-RE firewall filter configured in the previous section (see Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources), perform the configuration tasks in this section first, then configure the terms as described in the previous section. This approach ensures that the rate-limiting terms are included as the first two terms in the firewall filter.

Note: You can move terms within a firewall filter by using the insert CLI command. For more information, see the JUNOS CLI User Guide.

Table 232 lists the terms that are configured in this sample filter.

Table 232: Sample Stateless Firewall Filter protect-RE Terms to Protect Against Floods

Term	Purpose	Policer
tcp-connection-term	Polices the following types of TCP packets with a source address of 192.168.122.0/24 or 10.2.1.0/24: Connection request packets (SYN and ACK flag bits equal 1 and 0) Connection release packets (FIN flag bit equals 1) Connection reset packets (RST flag bit equals 1)	tcp-connection-policer—Limits the traffic rate and burst size of these TCP packets to 500,000 bps and 15,000 bytes. Packets that exceed the traffic rate are discarded.
icmp-term	Polices the following types of ICMP packets. All are counted in counter icmp-counter. Echo request packets Echo response packets Unreachable packets Time-exceeded packets	icmp-policer—Limits the traffic rate and burst size of these ICMP packets to 1,000,000 bps and 15,000 bytes. Packets that exceed the traffic rate are discarded.

Term

Purpose

Policer

tcp-connection-term

Polices the following types of TCP packets with a source address of 192.168.122.0/24 or 10.2.1.0/24:

Connection request packets (SYN and ACK flag bits equal 1 and 0)
Connection release packets (FIN flag bit equals 1)
Connection reset packets (RST flag bit equals 1)

tcp-connection-policer—Limits the traffic rate and burst size of these TCP packets to 500,000 bps and 15,000 bytes. Packets that exceed the traffic rate are discarded.

icmp-term

Polices the following types of ICMP packets. All are counted in counter icmp-counter.

Echo request packets
Echo response packets
Unreachable packets
Time-exceeded packets

icmp-policer—Limits the traffic rate and burst size of these ICMP packets to 1,000,000 bps and 15,000 bytes. Packets that exceed the traffic rate are discarded.

To use the configuration editor to configure the policers and the stateless firewall filter:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
To configure the firewall filter policers, perform the configuration tasks described in Table 233.
To configure the prefix lists and the firewall filter, perform the configuration tasks described in Table 234.
If you are finished configuring the router, commit the configuration.
Go on to one of the following procedures:
- To display the configuration, see Displaying Stateless Firewall Filter Configurations.
- To apply the firewall filter to the Routing Engine, see Applying a Stateless Firewall Filter to an Interface.
- To verify the firewall filter, see Verifying a TCP and ICMP Flood Firewall Filter.

Table 233: Configuring Policers for TCP and ICMP

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Firewall level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Firewall, click Configure or Edit.	From the [edit] hierarchy level, enter edit firewall
Define tcp-connection-policer and set its rate limits. The burst size limit can be from 1,500 bytes through 100,000,000 bytes. The bandwidth limit can be from 32,000 bps through 32,000,000,000 bps. Use the following abbreviations when specifying these limits: k (1000) m (1,000,000) g (1,000,000,000)	Next to Policer, click Add new entry. In the Policer name box, type tcp-connection-policer. Next to Filter specific, select the check box. Next to If Exceeding, select the check box and click Configure. In the Burst size limit box, type 15k. In the Bandwidth list, select Bandwidth limit. In the Bandwidth limit box, type 500k. Click OK.	Set the policer name and its rate limits: set policer tcp-connection-policer filter-specific if-exceeding burst-size-limit 15k bandwidth-limit 500k
Define the policer action for tcp-connection-policer.	On the Policer tcp-connection-policer page, next to Then, click Configure. Next to Discard, select the check box. Click OK twice.	Set the policer action: set policer tcp-connection-policer then discard
Define icmp-policer and set its rate limits. The burst size limit can be from 1,500 bytes through 100,000,000 bytes. The bandwidth limit can be from 32,000 bps through 32,000,000,000 bps. Use the following abbreviations when specifying these limits: k (1000) m (1,000,000) g (1,000,000,000)	On the Firewall page, next to Policer, click Add new entry. In the Policer name box, type icmp-policer. Next to Filter specific, select the check box. Next to If Exceeding, select the check box and click Configure. In the Burst size limit box, type 15k. In the Bandwidth list, select Bandwidth limit. In the Bandwidth limit box, type 1m. Click OK.	Set the policer name and its rate limits: set policer icmp-policer filter-specific if-exceeding burst-size-limit 15k bandwidth-limit 1m
Define the policer action for icmp-policer.	On the Policer icmp-policer page, next to Then, click Configure. Next to Discard, select the check box. Click OK three times.	Set the policer action: set policer icmp-policer then discard

Table 234: Configuring a TCP and ICMP Flood Firewall Filter for the Routing Engine

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Policy options level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Policy options, click Configure or Edit.	From the [edit] hierarchy level, enter edit policy-options
Define the prefix list trusted-addresses.	Next to Prefix list, click Add new entry. In the Name box, type trusted-addresses. Next to Prefix list item, click Add new entry. In the Prefix box, type 192.168.122.0/24. Click OK. Next to Prefix list item, click Add new entry. In the Prefix box, type 10.2.1.0/24. Click OK three times.	Set the prefix list: set prefix-list trusted-addresses 192.168.122.0/24 set prefix-list trusted-addresses 10.2.1.0/24
Navigate to the Firewall level in the configuration hierarchy.	On the main Configuration page next to Firewall, click Configure or Edit.	From the [edit] hierarchy level, enter edit firewall
Define protect-RE and tcp-connection-term, and define the source prefix list match condition.	Next to Filter, click Add new entry. In the Filter name box, type protect-RE. Next to Term, click Add New Entry. In the Rule name box, type tcp-connection-term. Next to From, click Configure. Next to Source prefix list, click Add new entry. In the Name box, type trusted-addresses. Click OK.	Set the term name and define the source address match condition: set family inet filter protect-RE term tcp-connection-term from source-prefix-list trusted-addresses
Define the TCP flags and protocol match conditions for tcp-connection-term.	In the TCP flags box, type (syn & !ack) \| fin \| rst. In the Protocol choice list, select Protocol. Next to Protocol, click Add new entry. In the Value keyword list, select tcp. Click OK.	Set the TCP flags and protocol and protocol match conditions for the term: set family inet filter protect-RE term tcp-connection-term from protocol tcp tcp-flags "(syn & !ack) \| fin \| rst"
Define the actions for tcp-connection-term.	On the Term tcp-connection-term page, next to Then, click Configure. In the Policer box, type tcp-connection-policer. In the Designation list, select Accept. Click OK twice.	Set the actions: set family inet filter protect-RE term tcp-connection-term then policer tcp-connection-policer accept
Define icmp-term, and define the protocol.	On the Filter protect-RE page, next to Term, click Add New Entry. In the Rule name box, type icmp-term. Next to From, click Configure. In the Protocol choice list, select Protocol. Next to Protocol, click Add new entry. In the Value keyword list, select icmp. Click OK.	Set the term name and define the protocol: set family inet filter protect-RE term icmp-term from protocol icmp
Define the ICMP type match conditions.	In the Icmp type choice list, select Icmp type. Next to Icmp type, click Add new entry. In the Value keyword list, select echo-request. Click OK. Next to Icmp type, click Add new entry. In the Value keyword list, select echo-reply. Click OK. Next to Icmp type, click Add new entry. In the Value keyword list, select unreachable. Click OK. Next to Icmp type, click Add new entry. In the Value keyword list, select time-exceeded. Click OK.	Set the ICMP type match conditions: set family inet filter protect-RE term icmp-term from icmp-type [echo-request echo-reply unreachable time-exceeded]
Define the actions for icmp-term.	On the icmp-term page, next to Then, click Configure. In the Count box, type icmp-counter. In the Policer box, type icmp-policer. In the Designation list, select Accept. Click OK four times.	Set the actions: set family inet filter protect-RE term icmp-term then policer icmp-policer count icmp-counter accept

Configuring a Routing Engine Firewall Filter to Handle Fragments

The procedure in this section creates a sample stateless firewall filter, fragment-RE, that handles fragmented packets destined for the Routing Engine. By applying fragment-RE to the Routing Engine, you protect against the use of IP fragmentation as a means to disguise TCP packets from a firewall filter.

Table 235 lists the terms that are configured in this sample filter.

Table 235: Sample Stateless Firewall Filter fragment-RE Terms

Term	Purpose
small-offset-term	Discards IP packets with a fragment offset of 1 through 5, and adds a record to the system logging facility.
not-fragmented-term	Accepts unfragmented TCP packets with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol. A packet is considered unfragmented if its MF flag and its fragment offset in the TCP header equal 0.
first-fragment-term	Accepts the first fragment of a fragmented TCP packet with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol.
fragment-term	Accepts all packet fragments with an offset of 6 through 8191.

For example, consider an IP packet that is fragmented into the smallest allowable fragment size of 8 bytes (a 20-byte IP header plus an 8-byte payload). If this IP packet carries a TCP packet, the first fragment (fragment offset of 0) that arrives at the device contains only the TCP source and destination ports (first 4 bytes), and the sequence number (next 4 bytes). The TCP flags, which are contained in the next 8 bytes of the TCP header, arrive in the second fragment (fragment offset of 1). The fragment-RE filter works as follows:

Term small-offset-term discards small offset packets to ensure that subsequent terms in the firewall filter can be matched against all the headers in the packet.
Term fragment-term accepts all fragments that were not discarded by small-offset-term. However, only those fragments that are part of a packet containing a first fragment accepted by first-fragment-term are reassembled by the device.

For more information about IP fragment filtering, see RFC 1858, Security Considerations for IP Fragment Filtering.

To use the configuration editor to configure the stateless firewall filter:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
To configure the firewall filter, perform the configuration tasks described in Table 236.
If you are finished configuring the router, commit the configuration.
Go on to one of the following procedures:
- To display the configuration, see Displaying Stateless Firewall Filter Configurations.
- To apply the firewall filter to the Routing Engine, see Applying a Stateless Firewall Filter to an Interface.
- To verify the firewall filter, see Verifying a Firewall Filter That Handles Fragments.

Table 236: Configuring a Fragments Firewall Filter for the Routing Engine

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Firewall level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Firewall, click Configure or Edit.	From the [edit] hierarchy level, enter edit firewall
Define fragment-RE and small-offset-term, and define the fragment offset match condition. The fragment offset can be from 1 through 8191.	Next to Filter, click Add new entry. In the Filter name box, type fragment-RE. Next to Term, click Add New Entry. In the Rule name box, type small-offset-term. Next to From, click Configure. In the Fragment offset choice list, select Fragment offset. Next to Fragment offset, select Add New Entry. In the Range box, type 1-5. Click OK twice.	Set the term name and define the fragment offset match condition: set family inet filter fragment-RE term small-offset-term from fragment-offset 1-5
Define the action for small-offset-term.	On the Term small-offset-term page, next to Then, click Configure. Next to Syslog, select the check box. In the Designation list, select Discard. Click OK twice.	Set the action: set family inet filter fragment-RE term small-offset-term then syslog discard
Define not-fragmented-term, and define the fragment, protocol, destination port, and source address match conditions.	On the Filter fragment-RE page, next to Term, click Add New Entry. In the Term name box, type not-fragmented-term. Next to From, click Configure. In the Fragment flags box, type 0x0. In the Fragment offset choice list, select Fragment offset. Next to Fragment offset, select Add New Entry. In the Range box, type 0. Click OK. In the Protocol choice list, select Protocol. Next to Protocol, click Add new entry. In the Value keyword list, select tcp. Click OK. In the Destination port choice list, select Destination port. Next to Destination port, click Add new entry. In the Value keyword list, select bgp. Click OK. Next to Source address, click Add new entry. In the Address box, type 10.2.1.0/24. Click OK twice.	Set the term name and define match conditions: set family inet filter fragment-RE term not-fragmented-term from fragment-flags 0x0 fragment-offset 0 protocol tcp destination-port bgp source-address 10.2.1.0/24
Define the action for not-fragmented-term.	On the Term not-fragmented-term page, next to Then, click Configure. In the Designation list, select Accept. Click OK twice.	Set the action: set family inet filter fragment-RE term not-fragmented-term then accept
Define first-fragment-term, and define the fragment, protocol, destination port, and source address match conditions.	On the Filter fragment-RE page, next to Term, click Add New Entry. In the Rule name box, type first-fragment-term. Next to From, click Configure. Next to First fragment, select the check box. In the Protocol choice list, select Protocol. Next to Protocol, click Add new entry. In the Value keyword list, select tcp. Click OK. In the Destination port choice list, select Destination port. Next to Destination port, click Add new entry. In the Value keyword list, select bgp. Click OK. Next to Source address, click Add new entry. In the Address box, type 10.2.1.0/24. Click OK twice.	Set the term name and define match conditions: set family inet filter fragment-RE term first-fragment-term from first-fragment protocol tcp destination-port bgp source-address 10.2.1.0/24
Define the action for first-fragment-term.	On the Term first-fragment-term page, next to Then, click Configure. In the Designation list, select Accept. Click OK twice.	Set the action: set family inet filter fragment-RE term first-fragment-term then accept
Define fragment-term and define the fragment match condition.	On the Filter fragment-RE page, next to Term, click Add New Entry. In the Rule name box, type fragment-term. Next to From, click Configure. In the Fragment offset choice list, select Fragment offset. Next to Fragment offset, select Add New Entry. In the Range box, type 6-8191. Click OK twice.	Set the term name and define match conditions: set family inet filter fragment-RE term fragment-term from fragment-offset 6–8191
Define the action for fragment-term.	On the Term fragment-term page, next to Then, click Configure. In the Designation list, select Accept. Click OK four times.	Set the action: set family inet filter fragment-RE term fragment-term then accept

Applying a Stateless Firewall Filter to an Interface

You can apply a stateless firewall to the input or output sides, or both, of an interface. To filter packets transiting the device, apply the firewall filter to any non-Routing Engine interface. To filter packets originating from, or destined for, the Routing Engine, apply the firewall filter to the loopback (lo0) interface.

For example, to apply the firewall filter protect-RE to the input side of the Routing Engine interface, follow this procedure:

Perform the configuration tasks described in Table 237.
If you are finished configuring the router, commit the configuration.

Table 237: Applying a Firewall Filter to the Routing Engine Interface

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Inet level in the configuration hierarchy. (See the interface naming conventions in Network Interface Naming.)	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Interfaces, click Configure or Edit. Under Interface name, click lo0. Under Interface unit number, click 0. Under Family, make sure the Inet check box is selected, and click Configure or Edit.	From the [edit] hierarchy level, apply the filter to the interface: set interfaces lo0 unit 0 family inet filter input protect-RE
Apply protect-RE as an input filter to the lo0 interface.	Next to Filter, click Configure. In the Input box, type protect-RE. Click OK five times.

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Inet level in the configuration hierarchy.

(See the interface naming conventions in Network Interface Naming.)

In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
Next to Interfaces, click Configure or Edit.
Under Interface name, click lo0.
Under Interface unit number, click 0.
Under Family, make sure the Inet check box is selected, and click Configure or Edit.

From the [edit] hierarchy level, apply the filter to the interface:

set interfaces lo0 unit 0 family inet filter input protect-RE

Apply protect-RE as an input filter to the lo0 interface.

Next to Filter, click Configure.
In the Input box, type protect-RE.
Click OK five times.

To view the configuration of the Routing Engine interface, enter the show interfaces lo0 command. For example:


            
               user@host# show interfaces lo0
               unit 0 {
               
                  
                     family inet {
                     
                        
                           filter {
                           input protect-RE;
                           }
                        
                     
                     address 127.0.0.1/32;
                     }
                  
               
               }

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]