Configuring Stateful Firewalls in the JUNOS SDK

This page covers the following topics about configuring stateful firewalls:

• Loading the Stateful Firewall Plugin

• Configuring Memory for Stateful Firewall

• Configuring rsh, rlogin, and rexec

• Using Stateful Firewall Operational Commands

Loading the Stateful Firewall Plugin

As of JUNOS Release 9.5, there is a stateful firewall plugin provided as part of jbundle. To load this plugin on the PIC, include the statement package jservices-sfw at the [edit chassis fpc slot-number pic slot-number adaptive-services service-package extension-provider] hierarchy level. Here is an example:

[edit]
user@host# show chassis
fpc 0 {
    pic 0 {
        adaptive-services {
            service-package {
                extension-provider {
                    control-cores 1;
                    data-cores 4;
                    object-cache-size 128;
                    package jservices-sfw; # Loads stateful firewall plugin.
                    policy-db-size 64;
                }
            }
        }
    }
}

You cannot load both a native JUNOS service package and a JUNOS SDK application package on the same PIC. However, you can load both the jservices-sfw package and a JUNOS SDK application package on the same PIC.

The following example demonstrates the stateful firewall plugin coexisting with a provider's plugin.

[edit services]
service-set sset {
    interface-service {
        service-interface ms-0/0/0.0;
    }
    stateful-firewall-rules rule1;
    extension-service customer-plugin;
    service-order [stateful-firewall customer-plugin];
}

stateful-firewall {
    rule rule1 {
        match-direction input-output;
        term term1 {
            from {
                applications junos-ftp;
            }
            then {
                accept;
            }
        }
    }
    rule rule2 {
        match-direction input;
        term term1 {
            from {
                source-address {
                    192.1.1.2/32;
                }
                then {
                    reject;
                    syslog;
                }
            }
        }
    }
}

Configuring Memory for Stateful Firewall

When configuring the stateful firewall internal plugin, some questions remain regarding the upper limit to specify for the policy-db-size, object-cache-size, and forwarding-db-size statements when the application will use a large number of rules, causing the total memory required to approach the size of the object cache configured. The following limits, which are specific to the stateful firewall configuration, await additional review:

• Maximum number of terms (with one rule per term) per service set: 1200

• Maximum number of service sets per Multiservices PIC: 4000 (Juniper Networks M Series Multiservice Edge Routers and T Series Core Routers), 6000 (Juniper Networks MX Series Ethernet Services Routers and M120 Multiservice Edge Routers)

• Maximum object cache size: 1280 MB (Multiservices 400 PICs and DPCs), 512 MB (Multiservices 100 PICs)

• Maximum policy database size: Still to be determined.

If the policy database is set too small, an error message will be logged in the router message file even though the commit may appear to be successful. It is necessary to check the logs to make sure that no message file error is found to be sure that the stateful firewall commit was indeed successful. The remedial action is to increase the size of the policy database.

Configuring rsh, rlogin, and rexec

Some implementations of the rsh, rlogin, rexec mechanism require the remote host to authenticate the request by opening a separate TCP session to port 113 on the client host. By default, the stateful firewall does not allow this authentication flow to go through. To improve performance, inlude the apllications junos-ident statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.

[edit]
services {
    stateful-firewall {
        rule rule1 {
            term term1 {
                from {
                    (source-address | destination-address);
                    applications junos-ident;
                }
                then {
                    accept;
                }
            }
        }
    }
}

To allow Kerberos-enabled rsh, rlogin, rexec through the stateful firewall, configure the following additional applications and include them in the stateful firewall terms:

[edit]
applications {
    application test-kerberos-kshell {
        Protocol tcp;
        destination-port kshell;
    }
    application test kerberos-klogin {
        protocol tcp;
        destination-port klongin;
    }
}
services {
    stateful-firewall {
        rule rule1 {
            term term1 {
                from {
                    applications [kerberos-klogin kerberos-kshell];
                }
                then {
                    accept;
                }
            }
        }
    }
} 

Using Stateful Firewall Operational Commands

Some stateful firewall operational commands support the ms- interface:

• show services stateful-firewall flows—Display stateful firewall flow table entries.

• show services stateful-firewall statistics—Display stateful firewall statistics. For this command, only rule and ALG statistics are given. In the extensive option, other statistics appear but do not populate correctly—those values are all zeroes.

• clear services stateful-firewall flows—Remove established flows from flow table.

For more information on these commands, see their summaries in the Operational Command Reference.

Other Configuration Guidelines:

Guidelines for Configuring SDK Applications

See also:

Statement Summary

Configuration Command Summary

Operational Command Reference

SDK CLI Configuration

---