Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
This example shows how to configure a stateless firewall filter that protects against ICMP denial-of-service attacks on a logical system.
In this example, no special configuration beyond device initialization is required.
This example shows a stateless firewall filter called protect-RE that polices ICMP packets. The icmp-policer limits the traffic rate of the ICMP packets to 1,000,000 bps and the burst size to 15,000 bytes. Packets that exceed the traffic rate are discarded.
The policer is incorporated into the action of a filter term called icmp-term.
In this example, a ping is sent from a directly connected physical router to the interface configured on the logical system. The logical system accepts the ICMP packets if they are received at a rate of up to 1 Mbps (bandwidth-limit). The logical system drops all ICMP packets when this rate is exceeded. The burst-size-limit statement accepts traffic bursts up to 15 Kbps. If bursts exceed this limit, all packets are dropped. When the flow rate subsides, ICMP packets are again accepted.
Figure 1 shows the topology used in this example.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the  hierarchy level.
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure an ICMP firewall filter on a logical system:
Configure the interface on the logical system.user@host# set logical-systems LS1 interfaces so-0/0/2 unit 0 family inet address 10.0.45.2/30
Explicitly enable ICMP packets to be received on the interface.user@host# set logical-systems LS1 firewall family inet filter protect-RE term icmp-term from protocol icmpuser@host# set logical-systems LS1 firewall family inet filter protect-RE term icmp-term then accept
Create the policer.user@host# set logical-systems LS1 firewall policer icmp-policer if-exceeding bandwidth-limit 1muser@host# set logical-systems LS1 firewall policer icmp-policer if-exceeding burst-size-limit 15kuser@host# set logical-systems LS1 firewall policer icmp-policer then discard
Apply the policer to a filter term.user@host# set logical-systems LS1 firewall family inet filter protect-RE term icmp-term then policer icmp-policer
Apply the policer to the logical system interface.user@host# set logical-systems LS1 interfaces so-0/0/2 unit 0 family inet policer input icmp-policer
If you are done configuring the device, commit the configuration.user@host# commit
Confirm your configuration by issuing the show logical-systems LS1 command.
Confirm that the configuration is working properly.
Verifying That Ping Works Unless the Limits Are Exceeded
Make sure that the logical system interface is protected against ICMP-based DoS attacks.
Log in to a system that has connectivity to the logical system and run the ping command.
user@R2> ping 10.0.45.2
PING 10.0.45.2 (10.0.45.2): 56 data bytes 64 bytes from 10.0.45.2: icmp_seq=0 ttl=64 time=1.316 ms 64 bytes from 10.0.45.2: icmp_seq=1 ttl=64 time=1.277 ms 64 bytes from 10.0.45.2: icmp_seq=2 ttl=64 time=1.269 ms
user@R2> ping 10.0.45.2 size 20000
PING 10.0.45.2 (10.0.45.2): 20000 data bytes ^C --- 10.0.45.2 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss
When you send a normal ping, the packet is accepted. When you send a ping packet that exceeds the filter limit, the packet is discarded.