Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Configuring a Stateless Firewall Filter to Handle Fragments
This example shows how to create a stateless firewall filter that handles packet fragments.
Requirements
No special configuration beyond device initialization is required before configuring stateless firewall filters.
Overview
In this example, you create a stateless firewall filter called fragment-RE that handles fragmented packets. This example includes the following firewall filter terms:
- small-offset-term—Discards small (1–5) offset packets to ensure that subsequent terms in the firewall filter can be matched against all the headers in the packet. In addition, the term adds a record to the system logging facility.
- not-fragmented-term—Accepts unfragmented TCP packets with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol. A packet is considered unfragmented if its MF flag and its fragment offset in the TCP header equal 0.
- first-fragment-term—Accepts the first fragment of a fragmented TCP packet with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol.
- fragment-term—Accepts all fragments that were not discarded by small-offset-term. (packet fragments 6–8191). However, only those fragments that are part of a packet containing a first fragment accepted by first-fragment-term are reassembled by the device.
Packet fragments offset can be from 1 through 8191.
 | Note: You can move terms within the firewall filter using the insert command. See insert in the Junos CLI User Guide. |
Configuration
CLI Quick Configuration
To quickly configure the stateless firewall filter, copy the following commands and paste them into the CLI.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure the stateless firewall filter:
Define the stateless firewall filter.
[edit]user@host# edit firewall family inet filter fragment-REDefine the first term for the filter.
[edit firewall family inet filter fragment-RE]user@host# edit term small-offset-termDefine the match conditions for the term.
[edit firewall family inet filter fragment-RE term small-offset-term]user@host# set from fragment-offset 1-5Define the action for the term.
[edit firewall family inet filter fragment-RE term small-offset-term]user@host# set then syslog discardDefine the second term for the filter.
[edit]user@host# edit firewall family inet filter fragment-RE term not-fragmented-termDefine the match conditions for the term.
[edit firewall family inet filter fragment-RE term not-fragmented-term]user@host# set from fragment-flags 0x0 fragment-offset 0 protocol tcp destination-port bgp source-address 10.2.1.0/24Define the action for the term.
[edit firewall family inet filter fragment-RE term not-fragmented-term]user@host# set then acceptDefine the third term for the filter.
[edit]user@host# edit firewall family inet filter fragment-RE term first-fragment-termDefine the match conditions for the term.
[edit firewall family inet filter fragment-RE term first-fragment-term]user@host# set from first-fragment protocol tcp destination-port bgp source-address 10.2.1.0/24Define the action for the term.
[edit firewall family inet filter fragment-RE term first-fragment-term]user@host# set then acceptDefine the last term for the filter.
[edit]user@host# edit firewall family inet filter fragment-RE term fragment-termDefine the match conditions for the term.
[edit firewall family inet filter fragment-RE term fragment-term]user@host# set from fragment-offset 6–8191Define the action for the term.
[edit firewall family inet filter fragment-RE term fragment-term]user@host# set then accept
Results
Confirm your configuration by entering the show firewall command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Displaying Stateless Firewall Filter Configurations
- Verifying a Firewall Filter that Handles Fragments
Displaying Stateless Firewall Filter Configurations
Purpose
Verify the configuration of the firewall filter. You can analyze the flow of the filter terms by displaying the entire configuration.
Action
From configuration mode, enter the show firewall command.
Meaning
Verify that the output shows the intended configuration of the firewall filter. In addition, verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.
Verifying a Firewall Filter that Handles Fragments
Purpose
Verify that the actions of the firewall filter terms are taken.
Action
Send packets to the device that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.
- Verify that packets with small fragment offsets are recorded in the router's system logging facility.
- Use the show route summary command to verify that the routing table does not contain any entries with a protocol other than Direct, Local, BGP, or Static.
Sample Output
user@host> show route summaryRouter ID: 192.168.249.71
inet.0: 34 destinations, 34 routes (33 active, 0 holddown, 1 hidden)
Direct: 10 routes, 9 active
Local: 9 routes, 9 active
BGP: 10 routes, 10 active
Static: 5 routes, 5 active
...
Meaning
Verify that the show route summary command does not display a protocol other than Direct, Local, BGP, or Static.
Related Topics
show route summary in the Junos Routing Protocols and Policies Command Reference.
