环路接口上的防火墙过滤器支持
环路接口是进入路由器路由引擎的所有控制流量的网关。如果想要监控此控制流量,则必须在环路接口 (lo0) 上配置防火墙过滤器。
环路防火墙过滤器仅应用于发送到路由引擎进行进一步处理的数据包。同时支持 inet 和 inet6 系列过滤器,并且您可以在 lo0 接口上的入口和出口方向上应用防火墙过滤器。但是,仅 interface-specific 支持防火墙过滤器的实例。
有关标准防火墙过滤器匹配条件,请参阅 IPv4 流量的匹配条件(ACX 系列路由器)。
lo0 上的防火墙过滤器在入口方向上处理 ACX1000、ACX1100、ACX2100、ACX2200 和 ACX4000 的以下异常数据包(本地或中转数据包):
-
TTL 例外数据包
-
以 224.0.0.x 作为目标 IP 地址的组播数据包
-
广播数据包
-
IP 选项数据包
注意:
尽管监管器操作可以连接到入口方向上的环路过滤器,但确切的行为取决于 CPU RX 队列配置。例如,入口方向的速率限制(通过监管器配置)发生在任何 CPU 速率限制之后。
注意:
在 QFX5110 上,保留的组播数据包将命中纯 L2 叠加的环路滤波器。即使这些数据包已得到处理,数据包也不会发送至路由引擎。只有计数器会递增。
以下是将防火墙连接到环路接口的配置示例:
[edit interfaces]
lo0 {
unit 0 {
family <inet | inet6> {
filter {
input f1;
}
}
}
}
family <inet | inet6>{
filter f1 {
interface-specific; >> Mandatory Field.
term t1 {
from {
protocol ospf;
}
then {
count c1;
discard;
}
}
term t2 {
then {
count c2;
accept;
}
}
}
}
还可以配置环路防火墙过滤器以匹配常用协议,例如 BGP、OSPF、SSH、Telnet、ICMP、SNMP 等。示例配置如下:
set firewall family inet filter LoTest interface-specific set firewall family inet filter LoTest term tc1-ospfv2 from source-address 10.1.1.3/32 set firewall family inet filter LoTest term tc1-ospfv2 from protocol ospf set firewall family inet filter LoTest term tc1-ospfv2 then count LoCount set firewall family inet filter LoTest term tc1-ospfv2 then accept set firewall family inet filter LoTest term tc1-bgp4 from source-address 10.1.1.3/32 set firewall family inet filter LoTest term tc1-bgp4 from protocol tcp set firewall family inet filter LoTest term tc1-bgp4 from destination-port bgp set firewall family inet filter LoTest term tc1-bgp4 then count LoCount set firewall family inet filter LoTest term tc1-bgp4 then accept set firewall family inet filter LoTest term tc3-icmp from source-address 10.1.1.5/32 set firewall family inet filter LoTest term tc3-icmp from protocol icmp set firewall family inet filter LoTest term tc3-icmp from icmp-type 11 set firewall family inet filter LoTest term tc3-icmp from icmp-code 1 set firewall family inet filter LoTest term tc3-icmp then count LoCount set firewall family inet filter LoTest term tc3-icmp then accept set firewall family inet filter LoTest term tc5-tcpSyn from source-address 10.1.1.7/32 set firewall family inet filter LoTest term tc5-tcpSyn from protocol tcp set firewall family inet filter LoTest term tc5-tcpSyn from tcp-flags syn set firewall family inet filter LoTest term tc5-tcpSyn then policer LoPolicer set firewall family inet filter LoTest term tc5-tcpSyn then count LoCount set firewall family inet filter LoTest term tc5-tcpSyn then accept set firewall family inet filter LoTest term tc6-snmp from source-address 10.1.1.8/32 set firewall family inet filter LoTest term tc6-snmp from protocol udp set firewall family inet filter LoTest term tc6-snmp from destination-port snmp set firewall family inet filter LoTest term tc6-snmp then count LoCount set firewall family inet filter LoTest term tc6-snmp then accept set firewall family inet filter LoTest term tc6-ntp from source-address 10.1.1.8/32 set firewall family inet filter LoTest term tc6-ntp from protocol udp set firewall family inet filter LoTest term tc6-ntp from destination-port ntp set firewall family inet filter LoTest term tc6-ntp then count LoCount set firewall family inet filter LoTest term tc6-ntp then accept set firewall family inet filter LoTest term tc6-dns from source-address 10.1.1.8/32 set firewall family inet filter LoTest term tc6-dns from protocol udp set firewall family inet filter LoTest term tc6-dns from destination-port domain set firewall family inet filter LoTest term tc6-dns then count LoCount set firewall family inet filter LoTest term tc6-dns then accept set firewall family inet filter LoTest term tc8-ipOptions from source-address 10.1.1.10/32 set firewall family inet filter LoTest term tc8-ipOptions from ip-options router-alert set firewall family inet filter LoTest term tc8-ipOptions then count LoCount set firewall family inet filter LoTest term tc8-ipOptions then accept set firewall family inet filter LoTest term tc9-icmp from source-address 10.1.1.11/32 set firewall family inet filter LoTest term tc9-icmp from protocol icmp set firewall family inet filter LoTest term tc9-icmp from icmp-type 11 set firewall family inet filter LoTest term tc9-icmp from icmp-code 1 set firewall family inet filter LoTest term tc9-icmp then policer LoPolicer set firewall family inet filter LoTest term tc9-icmp then count LoCount set firewall family inet filter LoTest term tc9-icmp then accept set firewall family inet filter LoTest term tc12-ospfv2 from source-address 10.1.1.13/32 set firewall family inet filter LoTest term tc12-ospfv2 from protocol ospf set firewall family inet filter LoTest term tc12-ospfv2 then count LoCount set firewall family inet filter LoTest term tc12-ospfv2 then accept set firewall family inet filter LoTest term tc13-ssh from source-address 10.1.1.14/32 set firewall family inet filter LoTest term tc13-ssh from protocol tcp set firewall family inet filter LoTest term tc13-ssh from destination-port ssh set firewall family inet filter LoTest term tc13-ssh then count LoCount set firewall family inet filter LoTest term tc13-ssh then discard set firewall family inet filter LoTest term tc14-pl from source-address 10.1.1.15/32 set firewall family inet filter LoTest term tc14-pl from packet-length 4000-9000 set firewall family inet filter LoTest term tc14-pl from protocol ospf set firewall family inet filter LoTest term tc14-pl then count LoCount set firewall family inet filter LoTest term tc14-pl then accept set firewall family inet filter LoTest term tc16-pl from source-address 10.1.1.17/32 set firewall family inet filter LoTest term tc16-pl from fragment-flags more-fragments set firewall family inet filter LoTest term tc16-pl from protocol ospf set firewall family inet filter LoTest term tc16-pl then count LoCount set firewall family inet filter LoTest term tc16-pl then discard set firewall family inet filter LoTest term tc17-ssh from source-address 10.1.1.18/32 set firewall family inet filter LoTest term tc17-ssh from destination-address 10.216.66.30/32 set firewall family inet filter LoTest term tc17-ssh from protocol tcp set firewall family inet filter LoTest term tc17-ssh from destination-port ssh set firewall family inet filter LoTest term tc17-ssh then count LoCount set firewall family inet filter LoTest term tc17-ssh then accept set firewall family inet filter LoTest term all then accept set firewall family inet6 filter LoTest6 interface-specific set firewall family inet6 filter LoTest6 term tc2-ospfv3 from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd2 set firewall family inet6 filter LoTest6 term tc2-ospfv3 from next-header ospf set firewall family inet6 filter LoTest6 term tc2-ospfv3 then count LoCount6 set firewall family inet6 filter LoTest6 term tc2-ospfv3 then accept set firewall family inet6 filter LoTest6 term tc2-bgp4plus from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd2 set firewall family inet6 filter LoTest6 term tc2-bgp4plus from next-header tcp set firewall family inet6 filter LoTest6 term tc2-bgp4plus from destination-port bgp set firewall family inet6 filter LoTest6 term tc2-bgp4plus then count LoCount6 set firewall family inet6 filter LoTest6 term tc2-bgp4plus then accept set firewall family inet6 filter LoTest6 term tc4-icmpv6 from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd3 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from next-header icmp6 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from icmp-type 1 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from icmp-code 0 set firewall family inet6 filter LoTest6 term tc4-icmpv6 then count LoCount6 set firewall family inet6 filter LoTest6 term tc4-icmpv6 then accept set firewall family inet6 filter LoTest6 term tc7-snmp from next-header udp set firewall family inet6 filter LoTest6 term tc7-snmp from destination-port snmp set firewall family inet6 filter LoTest6 term tc7-snmp then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-snmp then accept set firewall family inet6 filter LoTest6 term tc7-ntp from next-header udp set firewall family inet6 filter LoTest6 term tc7-ntp from destination-port ntp set firewall family inet6 filter LoTest6 term tc7-ntp then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-ntp then accept set firewall family inet6 filter LoTest6 term tc7-dns from next-header udp set firewall family inet6 filter LoTest6 term tc7-dns from destination-port domain set firewall family inet6 filter LoTest6 term tc7-dns then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-dns then accept set firewall family inet6 filter LoTest6 term tc10-icmp from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd4 set firewall family inet6 filter LoTest6 term tc10-icmp from next-header icmp6 set firewall family inet6 filter LoTest6 term tc10-icmp from icmp-type 1 set firewall family inet6 filter LoTest6 term tc10-icmp from icmp-code 0 set firewall family inet6 filter LoTest6 term tc10-icmp then policer LoPolicer set firewall family inet6 filter LoTest6 term tc10-icmp then count LoCount6 set firewall family inet6 filter LoTest6 term tc10-icmp then accept set firewall family inet6 filter LoTest6 term all then accept set firewall policer LoPolicer if-exceeding bandwidth-limit 22k set firewall policer LoPolicer if-exceeding burst-size-limit 20k set firewall policer LoPolicer then discard