A stateful firewall tracks connection state and performs a rule match only on the first packet.
In contrast, a stateless firewall does not track connection state and matches every packet to pre-configured rules; see Dynamic Firewall Filters for the JUNOS SDK implementation of stateless firewall filters.
The system creates flows once a rule match is completed and based on the configured rules, tracks the connection state at multiple levels as follows:
- Unidirectional tracking (Layer 3, allow a particular IP protocol).
- Layer 4 protocol tracking (TCP/UDP/ICMP); the system creates both a forward and reverse flow.
The microkernel on the Multiservices PIC includes a stateful firewall service, which is described in the JUNOS Services Interfaces Configuration Guide and is also available as part of the Services SDK. SDK applications on the Multiservices PIC can include the stateful firewall service in their configuration to take advantage of the supported application-layer gateways it provides, adding an extra level of security.
- Application-layer gateways (FTP and other protocols used by applications).
For details about how to configure a stateful firewall, see Configuring Stateful Firewalls in the JUNOS SDK. For detailed information about configuring JUNOS services, see the JUNOS Services Interfaces Configuration Guide.
The JUNOS SDK implementation of stateful firewall supports the following application-layer gateways (ALGs) in this release.
- The stateful firewall service requires a license. Please contact firstname.lastname@example.org for information on obtaining the license.
tftp Trivial File Transfer Protocol
dns Domain Name Service
exec Remote Execution Protocol
ftp File Transfer Protocol
The following ALGs are not currently supported in the SDK:
iiop Internet Inter-ORB Protocol
rpc-portmap RPC portmap
sip Session Initiation Protocol
dce-rpc DCE RPC
dce-rpc-portmap DCE RPC portmap
rtsp Real Time Streaming Protocol
bootp Bootstrap protocol
To list the supported ALGs from the command-line interface (CLI), use the following command:
The application rules can choose applications from either the list of JUNOS default applications or from any user-configurable applications. You can query for the list of JUNOS default applications with the following CLI command:
set applications application x1 application-protocol ?
The following actions are supported:
# show groups junos-defaults applications application ?
- reject - Sends an ICMP error or reset flag (RST) for TCP
- syslog (supported at the rule level)
The following limitations apply to the stateful firewall support:
- max-flows per service set - Limits the number of flows that can be created per service set.
- You cannot write your own ALGs.
- Hot standby support does not extend to the stateful firewall service.
Plugin Functionality and Service Chaining
- There is no explicit ALG support for
echo as they fit into the TCP ALG (only Layer 4 processing is performed, so the protocol does not open any additional flows and does not need ALG support).
© 2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:26:47 2010 for Juniper Networks Partner Solution Development Platform JUNOS SDK 10.2R1 by Doxygen 1.4.5