루프백 인터페이스의 방화벽 필터 지원
루프백 인터페이스는 라우터의 라우팅 엔진으로 들어오는 모든 제어 트래픽의 게이트웨이입니다. 이 제어 트래픽을 모니터링하려면 루프백 인터페이스(lo0)에서 방화벽 필터를 구성해야 합니다.
루프백 방화벽 필터는 추가 처리를 위해 라우팅 엔진으로 전송된 패킷에만 적용됩니다. inet 및 inet6 제품군 필터가 모두 지원되며, lo0 인터페이스의 수신 및 송신 방향에 방화벽 필터를 적용할 수 있습니다. 그러나 방화벽 필터의 인스턴스만 interface-specific
지원됩니다.
표준 방화벽 필터 일치 조건은 IPv4 트래픽 일치 조건(ACX 시리즈 라우터)을 참조하십시오.
lo0의 방화벽 필터는 수신 방향에서 다음과 같은 예외 패킷을 처리합니다.
-
TTL 예외 패킷
-
대상 IP 주소가 224.0.0.x인 멀티캐스트 패킷
-
브로드캐스트 패킷
-
IP 옵션 패킷
수신 방향의 루프백 필터에 폴리서 작업을 연결할 수 있지만 정확한 동작은 CPU RX 대기열 구성에 따라 다릅니다. 예를 들어, 수신 방향의 속도 제한(폴리서 구성을 통해)은 CPU 속도 제한기 이후에 발생합니다.
다음은 루프백 인터페이스에 방화벽을 연결하기 위한 샘플 구성입니다.
[edit interfaces] lo0 { unit 0 { family <inet | inet6> { filter { input f1; } } } } family <inet | inet6>{ filter f1 { interface-specific; >> Mandatory Field. term t1 { from { protocol ospf; } then { count c1; discard; } } term t2 { then { count c2; accept; } } } }
BGP, OSPF, SSH, Telnet, ICMP, SNMP 등과 같이 일반적으로 사용되는 프로토콜과 일치하도록 루프백 방화벽 필터를 구성할 수도 있습니다. 샘플 구성은 다음과 같습니다.
set firewall family inet filter LoTest interface-specific set firewall family inet filter LoTest term tc1-ospfv2 from source-address 10.1.1.3/32 set firewall family inet filter LoTest term tc1-ospfv2 from protocol ospf set firewall family inet filter LoTest term tc1-ospfv2 then count LoCount set firewall family inet filter LoTest term tc1-ospfv2 then accept set firewall family inet filter LoTest term tc1-bgp4 from source-address 10.1.1.3/32 set firewall family inet filter LoTest term tc1-bgp4 from protocol tcp set firewall family inet filter LoTest term tc1-bgp4 from destination-port bgp set firewall family inet filter LoTest term tc1-bgp4 then count LoCount set firewall family inet filter LoTest term tc1-bgp4 then accept set firewall family inet filter LoTest term tc3-icmp from source-address 10.1.1.5/32 set firewall family inet filter LoTest term tc3-icmp from protocol icmp set firewall family inet filter LoTest term tc3-icmp from icmp-type 11 set firewall family inet filter LoTest term tc3-icmp from icmp-code 1 set firewall family inet filter LoTest term tc3-icmp then count LoCount set firewall family inet filter LoTest term tc3-icmp then accept set firewall family inet filter LoTest term tc5-tcpSyn from source-address 10.1.1.7/32 set firewall family inet filter LoTest term tc5-tcpSyn from protocol tcp set firewall family inet filter LoTest term tc5-tcpSyn from tcp-flags syn set firewall family inet filter LoTest term tc5-tcpSyn then policer LoPolicer set firewall family inet filter LoTest term tc5-tcpSyn then count LoCount set firewall family inet filter LoTest term tc5-tcpSyn then accept set firewall family inet filter LoTest term tc6-snmp from source-address 10.1.1.8/32 set firewall family inet filter LoTest term tc6-snmp from protocol udp set firewall family inet filter LoTest term tc6-snmp from destination-port snmp set firewall family inet filter LoTest term tc6-snmp then count LoCount set firewall family inet filter LoTest term tc6-snmp then accept set firewall family inet filter LoTest term tc6-ntp from source-address 10.1.1.8/32 set firewall family inet filter LoTest term tc6-ntp from protocol udp set firewall family inet filter LoTest term tc6-ntp from destination-port ntp set firewall family inet filter LoTest term tc6-ntp then count LoCount set firewall family inet filter LoTest term tc6-ntp then accept set firewall family inet filter LoTest term tc6-dns from source-address 10.1.1.8/32 set firewall family inet filter LoTest term tc6-dns from protocol udp set firewall family inet filter LoTest term tc6-dns from destination-port domain set firewall family inet filter LoTest term tc6-dns then count LoCount set firewall family inet filter LoTest term tc6-dns then accept set firewall family inet filter LoTest term tc8-ipOptions from source-address 10.1.1.10/32 set firewall family inet filter LoTest term tc8-ipOptions from ip-options router-alert set firewall family inet filter LoTest term tc8-ipOptions then count LoCount set firewall family inet filter LoTest term tc8-ipOptions then accept set firewall family inet filter LoTest term tc9-icmp from source-address 10.1.1.11/32 set firewall family inet filter LoTest term tc9-icmp from protocol icmp set firewall family inet filter LoTest term tc9-icmp from icmp-type 11 set firewall family inet filter LoTest term tc9-icmp from icmp-code 1 set firewall family inet filter LoTest term tc9-icmp then policer LoPolicer set firewall family inet filter LoTest term tc9-icmp then count LoCount set firewall family inet filter LoTest term tc9-icmp then accept set firewall family inet filter LoTest term tc12-ospfv2 from source-address 10.1.1.13/32 set firewall family inet filter LoTest term tc12-ospfv2 from protocol ospf set firewall family inet filter LoTest term tc12-ospfv2 then count LoCount set firewall family inet filter LoTest term tc12-ospfv2 then accept set firewall family inet filter LoTest term tc13-ssh from source-address 10.1.1.14/32 set firewall family inet filter LoTest term tc13-ssh from protocol tcp set firewall family inet filter LoTest term tc13-ssh from destination-port ssh set firewall family inet filter LoTest term tc13-ssh then count LoCount set firewall family inet filter LoTest term tc13-ssh then discard set firewall family inet filter LoTest term tc14-pl from source-address 10.1.1.15/32 set firewall family inet filter LoTest term tc14-pl from packet-length 4000-9000 set firewall family inet filter LoTest term tc14-pl from protocol ospf set firewall family inet filter LoTest term tc14-pl then count LoCount set firewall family inet filter LoTest term tc14-pl then accept set firewall family inet filter LoTest term tc16-pl from source-address 10.1.1.17/32 set firewall family inet filter LoTest term tc16-pl from fragment-flags more-fragments set firewall family inet filter LoTest term tc16-pl from protocol ospf set firewall family inet filter LoTest term tc16-pl then count LoCount set firewall family inet filter LoTest term tc16-pl then discard set firewall family inet filter LoTest term tc17-ssh from source-address 10.1.1.18/32 set firewall family inet filter LoTest term tc17-ssh from destination-address 10.216.66.30/32 set firewall family inet filter LoTest term tc17-ssh from protocol tcp set firewall family inet filter LoTest term tc17-ssh from destination-port ssh set firewall family inet filter LoTest term tc17-ssh then count LoCount set firewall family inet filter LoTest term tc17-ssh then accept set firewall family inet filter LoTest term all then accept set firewall family inet6 filter LoTest6 interface-specific set firewall family inet6 filter LoTest6 term tc2-ospfv3 from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd2 set firewall family inet6 filter LoTest6 term tc2-ospfv3 from next-header ospf set firewall family inet6 filter LoTest6 term tc2-ospfv3 then count LoCount6 set firewall family inet6 filter LoTest6 term tc2-ospfv3 then accept set firewall family inet6 filter LoTest6 term tc2-bgp4plus from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd2 set firewall family inet6 filter LoTest6 term tc2-bgp4plus from next-header tcp set firewall family inet6 filter LoTest6 term tc2-bgp4plus from destination-port bgp set firewall family inet6 filter LoTest6 term tc2-bgp4plus then count LoCount6 set firewall family inet6 filter LoTest6 term tc2-bgp4plus then accept set firewall family inet6 filter LoTest6 term tc4-icmpv6 from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd3 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from next-header icmp6 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from icmp-type 1 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from icmp-code 0 set firewall family inet6 filter LoTest6 term tc4-icmpv6 then count LoCount6 set firewall family inet6 filter LoTest6 term tc4-icmpv6 then accept set firewall family inet6 filter LoTest6 term tc7-snmp from next-header udp set firewall family inet6 filter LoTest6 term tc7-snmp from destination-port snmp set firewall family inet6 filter LoTest6 term tc7-snmp then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-snmp then accept set firewall family inet6 filter LoTest6 term tc7-ntp from next-header udp set firewall family inet6 filter LoTest6 term tc7-ntp from destination-port ntp set firewall family inet6 filter LoTest6 term tc7-ntp then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-ntp then accept set firewall family inet6 filter LoTest6 term tc7-dns from next-header udp set firewall family inet6 filter LoTest6 term tc7-dns from destination-port domain set firewall family inet6 filter LoTest6 term tc7-dns then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-dns then accept set firewall family inet6 filter LoTest6 term tc10-icmp from source-address 2001:db8:4136:e378:8000:63bf:3fff:fdd4 set firewall family inet6 filter LoTest6 term tc10-icmp from next-header icmp6 set firewall family inet6 filter LoTest6 term tc10-icmp from icmp-type 1 set firewall family inet6 filter LoTest6 term tc10-icmp from icmp-code 0 set firewall family inet6 filter LoTest6 term tc10-icmp then policer LoPolicer set firewall family inet6 filter LoTest6 term tc10-icmp then count LoCount6 set firewall family inet6 filter LoTest6 term tc10-icmp then accept set firewall family inet6 filter LoTest6 term all then accept set firewall policer LoPolicer if-exceeding bandwidth-limit 22k set firewall policer LoPolicer if-exceeding burst-size-limit 20k set firewall policer LoPolicer then discard