Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods

This example shows how to create a stateless firewall filter that protects against TCP and ICMP denial-of-service attacks.

• Requirements
• Overview
• Configuration
• Verification

Requirements

No special configuration beyond device initialization is required before configuring stateless firewall filters.

Overview

In this example, you create a stateless firewall filter called protect-RE that polices TCP and ICMP packets. This example includes the following policers:

• tcp-connection-policer—Limits the traffic rate of the TCP packets to 500,000 bps and the burst size to 15,000 bytes. Packets that exceed the traffic rate are discarded.
• icmp-policer—Limits the traffic rate of the ICMP packets to 1,000,000 bps and the burst size to 15,000 bytes. Packets that exceed the traffic rate are discarded.

When specifying limits, the bandwidth limit can be from 32,000 bps to 32,000,000,000 bps and the burst size limit can be from 1,500 bytes through 100,000,000 bytes. Use the following abbreviations when specifying limits: k (1,000), m (1,000,000), and g (1,000,000,000).

Each policer is incorporated into the action of a filter term. This example includes the following terms:

• tcp-connection-term—Polices certain TCP packets with a source address of 192.168.122.0/24 or 10.2.1.0/24. These addresses are defined in the trusted-addresses prefix list.

  Policed packets include connection request packets (SYN and ACK flag bits equal 1 and 0), connection release packets (FIN flag bit equals 1), and connection reset packets (RST flag bit equals 1).

• icmp-term—Polices echo request packets, echo response packets, unreachable packets, and time-exceeded packets. All of these ICMP packets are counted in the icmp-counter counter.

Note: You can move terms within the firewall filter using the insert command. See insert in the Junos CLI User Guide.

If you want to include the terms created in this procedure in the protect-RE firewall filter configured in Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources, perform the configuration tasks in this example first, then configure the terms as described in Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources. This approach ensures that the rate-limiting terms are included as the first two terms in the firewall filter.

Note: You can move terms within the firewall filter using the insert command. See insert in the Junos CLI User Guide.

Configuration

CLI Quick Configuration

To quickly configure the stateless firewall filter, copy the following commands and paste them into the CLI.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure stateless firewall filter policers:

1. Define the first policer.

   [edit]user@host# edit firewall policer tcp-connection-policer

2. Define the action for the policer.

   [edit firewall policer tcp-connection-policer]user@host# set then discard

3. Define the rate limits for the policer.

   [edit firewall policer tcp-connection-policer]user@host# set filter-specific if-exceeding burst-size-limit 15k bandwidth-limit 500k

4. Define the second policer.

   [edit]user@host# edit firewall policer imcp-policer

5. Define the action for the policer.

   [edit firewall policer icmp-policer]user@host# set then discard

6. Set the rate limits for the policer.

   [edit firewall policer imcp-policer]user@host# set filter-specific if-exceeding burst-size-limit 15k bandwidth-limit 1m

7. Define the prefix list.

   [edit]user@host# set policy-options prefix-list trusted-addresses 192.168.122.0/24user@host# set policy-options prefix-list trusted-addresses 10.2.1.0/24

8. Create the stateless firewall filter.

   [edit]user@host# edit firewall family inet filter protect-RE

9. Define the first term for the filter.

   [edit firewall family inet filter protect-RE]user@host# edit term tcp-connection-term

10. Define the source address match condition for the term.

    [edit firewall family inet filter protect-RE term tcp-connection-term]user@host# set from source-prefix-list trusted-addresses

11. Define protocol match conditions for the term.

    [edit firewall family inet filter protect-RE term tcp-connection-term]user@host# set from protocol tcp tcp-flags "(syn & !ack) | fin | rst"

12. Define the actions for the term.

    [edit firewall family inet filter protect-RE term tcp-connection-term]user@host# set then policer tcp-connection-policer accept

13. Define the second term.

    [edit]user@host# edit firewall family inet filter protect-RE term icmp-term

14. Define the protocol for the term.

    [edit firewall family inet filter protect-RE term icmp-term]user@host# set from protocol icmp

15. Define the match conditions for the term.

    [edit firewall family inet filter protect-RE term icmp-term]user@host# set from icmp-type [echo-request echo-reply unreachable time-exceeded]

16. Define the action for the term.

    [edit firewall family inet filter protect-RE term icmp-term]user@host# set then policer icmp-policer count icmp-counter accept

Results

Confirm your configuration by entering the show firewall command and the show policy-options command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

• Displaying Stateless Firewall Filter Configurations
• Verifying a TCP and ICMP Flood Firewall Filter
• Displaying Firewall Filter Statistics

Displaying Stateless Firewall Filter Configurations

Purpose

Verify the configuration of the firewall filter.

Action

From configuration mode, enter the show firewall command.

Meaning

Verify that the output shows the intended configuration of the firewall filter. In addition, verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Verifying a TCP and ICMP Flood Firewall Filter

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

Send packets to the device that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.

• Verify that the device can establish only TCP sessions with a host at an IP address that matches 192.168.122.0/24 or 10.2.1.0/24. For example, log in to the device with the telnet host-name command from another host with one of these address prefixes.
• Use the ping host-name command to verify that the device responds only to ICMP packets (such as ping requests) that do not exceed the policer traffic rates.
• Use the ping host-name size bytes command to exceed the policer traffic rates by sending ping requests with large data payloads.

Sample Output

Trying 192.168.249.71...
Connected to host.acme.net.
Escape character is '^]'.

host (ttyp0)

login: user
Password:

--- JUNOS 6.4-20040521.1 built 2004-05-21 09:38:12 UTC

user@host> 

PING host-ge-000.acme.net (192.168.249.71): 56 data bytes
64 bytes from 192.168.249.71: icmp_seq=0 ttl=253 time=11.946 ms
64 bytes from 192.168.249.71: icmp_seq=1 ttl=253 time=19.474 ms
64 bytes from 192.168.249.71: icmp_seq=2 ttl=253 time=14.639 ms
...

PING host-ge-000.acme.net (192.168.249.71): 20000 data bytes
^C
--- host-ge-000.acme.net ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

Meaning

Verify the following information:

• You can successfully log in to the device using Telnet.
• The device sends responses to the ping host command.
• The device does not send responses to the ping host size 20000 command.

Displaying Firewall Filter Statistics

Purpose

Verify that packets are being policed and counted.

Action

From operational mode, enter the show firewall filter filter-name command.

Sample Output

Filter: protect-RE                                                  
Counters:
Name                                                Bytes              Packets
icmp-counter                                      1040000                 5600
Policers:
Name                                              Packets 
tcp-connection-policer                          643254873
icmp-policer                                         7391

Meaning

Verify the following information:

• Next to Filter, the name of the firewall filter is correct.
• Under Counters:
  • Under Name, the names of any counters configured in the firewall filter are correct.
  • Under Bytes, the number of bytes that match the filter term containing the count counter-name action are shown.
  • Under Packets, the number of packets that match the filter term containing the count counter-name action are shown.
• Under Policers:
  • Under Name, the names of any policers configured in the firewall filter are correct.
  • Under Packets, the number of packets that match the conditions specified for the policer are shown.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• show firewall in the Junos Routing Protocols and Policies Command Reference
• ping in the Junos System Basics and Services Command Reference.
• telnet in the Junos System Basics and Services Command Reference.