Loading the Stateful Firewall Plug-In
As of Junos OS Release 9.5, a stateful firewall plug-in is provided as part of the jbundle package. To load this plug-in on the PIC, include the package jservices-sfw statement at the [edit chassis fpc slot-number pic slot-number adaptive-services service-package extension-provider] hierarchy level. For example:
user@host# show chassisfpc 0 {
pic 2 {
adaptive-services {
service-package {
extension-provider {
control-cores 1;
data-cores 4;
object-cache-size 128;
package jservices—sfw; #Loads stateful firewall plug-in.
policy-db-size 64;
}
}
}
}
}
You can load both the jservices-sfw package and a Junos SDK application package on the same PIC.
The following example demonstrates the stateful firewall plug-in coexisting with a provider’s plug-in:
[edit]services {service-set sset {stateful-firewall-rules rule1;interface-service {service-interface ms-0/0/0;}extension-service customer-plugin;service-order {forward-flow [ stateful-firewall customer-plugin ];}}stateful-firewall {rule rule1 {match-direction input-output;term term1 {from {applications junos-ftp;}then {accept;}}}rule rule2 {match-direction input;term term1 {from {source-address {192.1.1.2/32;}then {reject;syslog;}}}}}
