Configuring Stateful Firewall Rules
To configure a stateful firewall rule, include the rule rule-name statement at the [edit services stateful-firewall] hierarchy level:
On ACX500 routers, to enable syslog, include the stateful-firewall-logs CLI statement at the [edit services service-set service-set-name syslog host local class] hierarchy level.
Each stateful firewall rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:
from statement—Specifies the match conditions and applications that are included and excluded. The from statement is optional in stateful firewall rules.
then statement—Specifies the actions and action modifiers to be performed by the router software. The then statement is mandatory in stateful firewall rules.
ACX500 Series routers do not support the following while configuring stateful firewall rules:
match-direction (output | input-output)
post-service-filter at the interface service input hierarchy level.
IPv6 source address and destination address.
application-sets, application, allow-ip-options at the [edit services stateful-firewall] hierarchy level.
Application Layer Gateways (ALGs).
Chaining of services within Multiservices Modular Interfaces Card (MS-MIC) and with inline-services (-si).
Class of service.
The following show services stateful-firewall CLI commands are not supported:
show services stateful-firewall conversations—Show conversations
show services stateful-firewall flow-analysis—Show flow table entries
show services stateful-firewall redundancy-statistics—Show redundancy statistics
show services stateful-firewall sip-call—Show SIP call information
show services stateful-firewall sip-register—Show SIP register information
show services stateful-firewall subscriber-analysis—Show subscriber table entries
The following sections explain how to configure the components of stateful firewall rules:
Configuring Match Direction for Stateful Firewall Rules
Each rule must include a match-direction statement that specifies the direction in which the rule match is applied. To configure where the match is applied, include the match-direction statement at the [edit services stateful-firewall rule rule-name] hierarchy level:
ACX500 Series routers do not support match-direction (output | input-output).
If you configure match-direction input-output, sessions initiated from both directions might match this rule.
The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces.
On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed. Rules in this service set are considered in sequence until a match is found. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered. Most packets result in the creation of bidirectional flows.
Configuring Match Conditions in Stateful Firewall Rules
To configure stateful firewall match conditions, include the from statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:
The source address and destination address can be either IPv4 or IPv6.
You can use either the source address or the destination address as a match condition, in the same way that you would configure a firewall filter; for more information, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide. You can use the wildcard values any-unicast, which denotes matching all unicast addresses, any-ipv4, which denotes matching all IPv4 addresses, or any-ipv6, which denotes matching all IPv6 addresses.
Alternatively, you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or the source-prefix-list statement in the stateful firewall rule. For an example, see Examples: Configuring Stateful Firewall Rules.
If you omit the from term, the stateful firewall accepts all traffic and the default protocol handlers take effect:
User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow.
IP creates a unidirectional flow.
You can also include application protocol definitions you have configured at the [edit applications] hierarchy level; for more information, see Configuring Application Properties.
To apply one or more specific application protocol definitions, include the applications statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.
To apply one or more sets of application protocol definitions you have defined, include the application-sets statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.
If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions.
Configuring Actions in Stateful Firewall Rules
To configure stateful firewall actions, include the then statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:
You must include one of the following actions:
accept—The packet is accepted and sent on to its destination.
accept skip-ids—The packet is accepted and sent on to its destination, but IDS rule processing configured on an MS-MPC is skipped.
discard—The packet is not accepted and is not processed further.
reject—The packet is not accepted and a rejection message is returned; UDP sends an ICMP unreachable code and TCP sends RST. Rejected packets can be logged or sampled.
The ACX500 indoor routers do not support the action accept skip-ids.
You can optionally configure the firewall to record information in the system logging facility by including the syslog statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. This statement overrides any syslog setting included in the service set or interface default configuration.
Configuring IP Option Handling
You can optionally configure the firewall to inspect IP header information by including the allow-ip-options statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. When you configure this statement, all packets that match the criteria specified in the from statement are subjected to additional matching criteria. A packet is accepted only when all of its IP option types are configured as values in the allow-ip-options statement. If you do not configure allow-ip-options, only packets without IP header options are accepted.
ACX500 indoor routers do not support the configuration of allow-ip-options statement.
The additional IP header option inspection applies only to the accept and reject stateful firewall actions. This configuration has no effect on the discard action. When the IP header inspection fails, reject frames are not sent; in this case, the reject action has the same effect as discard.
If an IP option packet is accepted by the stateful firewall, Network Address Translation (NAT) and intrusion detection service (IDS) are applied in the same way as to packets without IP option headers. The IP option configuration appears only in the stateful firewall rules; NAT applies to packets with or without IP options.
When a packet is dropped because it fails the IP option inspection, this exception event generates both IDS event and system log messages. The event type depends on the first IP option field rejected.
Table 1 lists the possible values for the allow-ip-options statement. You can include a range or set of numeric values, or one or more of the predefined IP option settings. You can enter either the option name or its numeric equivalent. For more information, refer to http://www.iana.org/assignments/ip-parameters.
Table 1: IP Option Values
IP Option Name
Any IP option