Configure Stateful Firewall Actions

[Contents] [Prev] [Next] [Index] [Report an Error]

Configure Stateful Firewall Actions
To configure stateful firewall actions, include the then statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:
[edit services stateful-firewall rule rule-name term term-name]
then {
    (accept | discard | reject);
    allow-ip-option [ values ];
    syslog;
}
You must include one of the following three possible actions:

accept—The packet is accepted and sent on to its destination.

discard—The packet is not accepted and is not processed further.

reject—The packet is not accepted and a rejection message is returned; UDP sends an ICMP unreachable code and TCP sends RST. Rejected packets can be logged or sampled.

You can optionally configure the firewall to record information in the system logging facility by including the syslog statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. This statement overrides any syslog setting included in the service set or interface default configuration.

Configure IP Option Handling

You can optionally configure the firewall to inspect IP header information by including the allow-ip-option statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. When you configure this statement, all packets that match the criteria specified in the from statement are subjected to additional matching criteria. A packet is accepted only when all of its IP option types are configured as values in the allow-ip-option statement. If you do not configure allow-ip-option, only packets without IP header options are accepted.

The additional IP header option inspection applies only the accept and reject stateful firewall actions. This configuration has no effect on the discard action. When the IP header inspection fails, reject frames are not sent; in this case, the reject action has the same effect as discard.

If an IP option packet is accepted by the stateful firewall, NAT and IDS services are applied in the same way as to packets without IP option headers. The IP option configuration appears only in the stateful firewall rules; NAT applies to packets with or without IP options, as long as the packet is accepted by the stateful firewall.

When a packet is dropped because it fails the IP option inspection, this exception event generates both IDS event and system log messages. The event type depends on the first IP option field rejected.

Table 7 lists the possible allow-ip-option values. You can include a range or set of numeric values, or one or more of the predefined IP option settings. You can enter either the option name or its numeric equivalent.

Table 7: IP Option Values

IP Option Name

Numeric Value

Comment

any

0

Any IP option

ip-security

130

ip-stream

8

loose-source-route

3

route-record

7

router-alert

148

strict-source-route

9

timestamp

4

IP Option Name	Numeric Value	Comment
`any`	`0`	Any IP option
`ip-security`	`130`
`ip-stream`	`8`
`loose-source-route`	`3`
`route-record`	`7`
`router-alert`	`148`
`strict-source-route`	`9`
`timestamp`	`4`

[Contents] [Prev] [Next] [Index] [Report an Error]