Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources

 

This example shows how to create a stateless firewall filter that protects the Routing Engine from traffic originating from untrusted sources.

Requirements

No special configuration beyond device initialization is required before configuring stateless firewall filters.

Overview

In this example, you create a stateless firewall filter called protect-RE that discards all traffic destined for the Routing Engine except SSH and BGP protocol packets from specified trusted sources. This example includes the following firewall filter terms:

  • ssh-term—Accepts TCP packets with a source address of 192.168.122.0/24 and a destination port that specifies SSH.

  • bgp-term—Accepts TCP packets with a source address of 10.2.1.0/24 and a destination port that specifies BGP.

  • discard-rest-term—For all packets that are not accepted by ssh-term or bgp-term, creates a firewall filter log and system logging records, then discards all packets.

Note

You can move terms within the firewall filter using the insert command. See insert in the CLI User Guide.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the stateless firewall filter:

  1. Create the stateless firewall filter.

  2. Create the first filter term.

  3. Define the protocol, destination port, and source address match conditions for the term.

  4. Define the actions for the term.

  5. Create the second filter term.

  6. Define the protocol, destination port, and source address match conditions for the term.

  7. Define the action for the term.

  8. Create the third filter term.

  9. Define the action for the term.

  10. Apply the filter to the input side of the Routing Engine interface.

Results

Confirm your configuration by entering the show firewall command and the show interfaces lo0 command from configuration mode. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Displaying Stateless Firewall Filter Configurations

Purpose

Verify the configuration of the firewall filter.

Action

From configuration mode, enter the show firewall command and the show interfaces lo0 command.

Meaning

Verify that the output shows the intended configuration of the firewall filter. In addition, verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Verifying a Services, Protocols, and Trusted Sources Firewall Filter

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

Send packets to the device that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.

  • Use the ssh host-name command from a host at an IP address that matches 192.168.122.0/24 to verify that you can log in to the device using only SSH from a host with this address prefix.

  • Use the show route summary command to verify that the routing table on the device does not contain any entries with a protocol other than Direct, Local, BGP, or Static.

Sample Output

% ssh 192.168.249.71
user@host> show route summary

Meaning

Verify the following information:

  • You can successfully log in to the device using SSH.

  • The show route summary command does not display a protocol other than Direct, Local, BGP, or Static.

Displaying Stateless Firewall Filter Logs

Purpose

Verify that packets are being logged. If you included the log or syslog action in a term, verify that packets matching the term are recorded in the firewall log or your system logging facility.

Action

From operational mode, enter the show firewall log command.

Sample Output

user@host> show firewall log

Meaning

Each record of the output contains information about the logged packet. Verify the following information:

  • Under Time, the time of day the packet was filtered is shown.

  • The Filter output is always pfe.

  • Under Action, the configured action of the term matches the action taken on the packet—A (accept), D (discard), R (reject).

  • Under Interface, the inbound (ingress) interface on which the packet arrived is appropriate for the filter.

  • Under Protocol, the protocol in the IP header of the packet is appropriate for the filter.

  • Under Src Addr, the source address in the IP header of the packet is appropriate for the filter.

  • Under Dest Addr, the destination address in the IP header of the packet is appropriate for the filter.