Configuring Stateful Firewalls in the JUNOS SDK

This page covers the following topics about configuring stateful firewalls:

Loading the Stateful Firewall Plugin

As of JUNOS Release 9.5, there is a stateful firewall plugin provided as part of jbundle. To load this plugin on the PIC, include the statement package jservices-sfw at the [edit chassis fpc slot-number pic slot-number adaptive-services service-package extension-provider] hierarchy level. Here is an example:

[edit]
user@host# show chassis
fpc 0 {
    pic 0 {
        adaptive-services {
            service-package {
                extension-provider {
                    control-cores 1;
                    data-cores 4;
                    object-cache-size 128;
                    package jservices-sfw; # Loads stateful firewall plugin.
                    policy-db-size 64;
                }
            }
        }
    }
}

You cannot load both a native JUNOS service package and a JUNOS SDK application package on the same PIC. However, you can load both the jservices-sfw package and a JUNOS SDK application package on the same PIC.

The following example demonstrates the stateful firewall plugin coexisting with a provider's plugin.

[edit services]
service-set sset {
    interface-service {
        service-interface ms-0/0/0.0;
    }
    stateful-firewall-rules rule1;
    extension-service customer-plugin;
    service-order [stateful-firewall customer-plugin];
}

stateful-firewall {
    rule rule1 {
        match-direction input-output;
        term term1 {
            from {
                applications junos-ftp;
            }
            then {
                accept;
            }
        }
    }
    rule rule2 {
        match-direction input;
        term term1 {
            from {
                source-address {
                    192.1.1.2/32;
                }
                then {
                    reject;
                    syslog;
                }
            }
        }
    }
}

Configuring Memory for Stateful Firewall

When configuring the stateful firewall internal plugin, some questions remain regarding the upper limit to specify for the policy-db-size, object-cache-size, and forwarding-db-size statements when the application will use a large number of rules, causing the total memory required to approach the size of the object cache configured. The following limits, which are specific to the stateful firewall configuration, await additional review:

If the policy database is set too small, an error message will be logged in the router message file even though the commit may appear to be successful. It is necessary to check the logs to make sure that no message file error is found to be sure that the stateful firewall commit was indeed successful. The remedial action is to increase the size of the policy database.

Configuring rsh, rlogin, and rexec

Some implementations of the rsh, rlogin, rexec mechanism require the remote host to authenticate the request by opening a separate TCP session to port 113 on the client host. By default, the stateful firewall does not allow this authentication flow to go through. To improve performance, inlude the apllications junos-ident statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.

[edit]
services {
    stateful-firewall {
        rule rule1 {
            term term1 {
                from {
                    (source-address | destination-address);
                    applications junos-ident;
                }
                then {
                    accept;
                }
            }
        }
    }
}

To allow Kerberos-enabled rsh, rlogin, rexec through the stateful firewall, configure the following additional applications and include them in the stateful firewall terms:

[edit]
applications {
    application test-kerberos-kshell {
        Protocol tcp;
        destination-port kshell;
    }
    application test kerberos-klogin {
        protocol tcp;
        destination-port klongin;
    }
}
services {
    stateful-firewall {
        rule rule1 {
            term term1 {
                from {
                    applications [kerberos-klogin kerberos-kshell];
                }
                then {
                    accept;
                }
            }
        }
    }
} 

Using Stateful Firewall Operational Commands

Some stateful firewall operational commands support the ms- interface:

For more information on these commands, see their summaries in the Operational Command Reference.

Other Configuration Guidelines:
Guidelines for Configuring SDK Applications

See also:
Statement Summary

Configuration Command Summary

Operational Command Reference

SDK CLI Configuration


2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:26:48 2010 for Juniper Networks Partner Solution Development Platform JUNOS SDK 10.2R1 by Doxygen 1.4.5