Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers

 

This example shows how to configure a standard stateless firewall filter that blocks all TCP connection attempts to port 179 from all requesters except from specified BGP peers.

Requirements

No special configuration beyond device initialization is required before you configure this example.

Overview

In this example, you create a stateless firewall filter that blocks all TCP connection attempts to port 179 from all requesters except the specified BGP peers.

The stateless firewall filter filter_bgp179 matches all packets from the directly connected interfaces on Device A and Device B to the destination port number 179.

Figure 1 shows the topology used in this example. Device C attempts to make a TCP connection to Device E. Device E blocks the connection attempt. This example shows the configuration on Device E.

Figure 1: Typical Network with BGP Peer Sessions
Typical Network with BGP Peer
Sessions

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device C

Device E

Configuring Device E

Step-by-Step Procedure

The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Device E with a stateless firewall filter that blocks all TCP connection attempts to port 179 from all requestors except specified BGP peers:

  1. Configure the interfaces.
  2. Configure BGP.
  3. Configure the autonomous system number.
  4. Define the filter term that accepts TCP connection attempts to port 179 from the specified BGP peers.

  5. Define the other filter term to reject packets from other sources.

  6. Apply the firewall filter to the loopback interface.

Results

From configuration mode, confirm your configuration by entering the show firewall, show interfaces, show protocols, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying That the Filter Is Configured

Purpose

Make sure that the filter is listed in output of the show firewall filter command.

Action

user@E> show firewall filter filter_bgp179

Verifying the TCP Connections

Purpose

Verify the TCP connections.

Action

From operational mode, run the show system connections extensive command on Device C and Device E.

The output on Device C shows the attempt to establish a TCP connection. The output on Device E shows that connections are established with Device A and Device B only.

user@C> show system connections extensive | match 10.10.10
user@E> show system connections extensive | match 10.10.10

Monitoring Traffic on the Interfaces

Purpose

Use the monitor traffic command to compare the traffic on an interface that establishes a TCP connection with the traffic on an interface that does not establish a TCP connection.

Action

From operational mode, run the monitor traffic command on the Device E interface to Device B and on the Device E interface to Device C. The following sample output verifies that in the first example, acknowledgment (ack) messages are received. In the second example, ack messages are not received.

user@E> monitor traffic size 1500 interface ge-1/2/1.5
user@E> monitor traffic size 1500 interface ge-1/0/0.9