Compatibilidad con filtros de firewall en interfaz de circuito cerrado
Una interfaz de circuito cerrado es una puerta de enlace para todo el tráfico de control que entra en el motor de enrutamiento del enrutador. Si desea supervisar este tráfico de control, debe configurar un filtro de firewall en la interfaz de circuito cerrado (lo0).
Los filtros de firewall de circuito cerrado solo se aplican a los paquetes enviados al motor de enrutamiento para su posterior procesamiento. Se admiten los filtros de familia inet e inet6, y puede aplicar un filtro de firewall en las direcciones de entrada y salida de la interfaz lo0. Sin embargo, solo interface-specific
se admiten instancias del filtro de firewall.
Para conocer las condiciones estándar de coincidencia del filtro de firewall, consulte Condiciones de coincidencia para tráfico IPv4 (enrutadores de la serie ACX).
El filtro de firewall en lo0 controla los siguientes paquetes de excepción en la dirección de entrada:
-
Paquetes de excepción TTL
-
Paquetes de multidifusión con 224.0.0.x como dirección IP de destino
-
Paquetes de difusión
-
Paquetes de opciones IP
Aunque las acciones de policía se pueden adjuntar a filtros de circuito cerrado en la dirección de entrada, el comportamiento exacto depende de las configuraciones de cola RX de la CPU. Por ejemplo, la limitación de velocidad en la dirección de entrada (a través de la configuración del aplicador de políticas) se produce después de cualquier limitador de velocidad de CPU.
A continuación se muestra un ejemplo de configuración para adjuntar un firewall a la interfaz de circuito cerrado:
[edit interfaces] lo0 { unit 0 { family <inet | inet6> { filter { input f1; } } } } family <inet | inet6>{ filter f1 { interface-specific; >> Mandatory Field. term t1 { from { protocol ospf; } then { count c1; discard; } } term t2 { then { count c2; accept; } } } }
También se puede configurar un filtro de firewall de circuito cerrado para que coincida con los protocolos de uso común, como BGP, OSPF, SSH, Telnet, ICMP, SNMP, etc. A continuación se muestra una configuración de ejemplo:
set firewall family inet filter LoTest interface-specific set firewall family inet filter LoTest term tc1-ospfv2 from source-address 2.1.1.3/32 set firewall family inet filter LoTest term tc1-ospfv2 from protocol ospf set firewall family inet filter LoTest term tc1-ospfv2 then count LoCount set firewall family inet filter LoTest term tc1-ospfv2 then accept set firewall family inet filter LoTest term tc1-bgp4 from source-address 2.1.1.3/32 set firewall family inet filter LoTest term tc1-bgp4 from protocol tcp set firewall family inet filter LoTest term tc1-bgp4 from destination-port bgp set firewall family inet filter LoTest term tc1-bgp4 then count LoCount set firewall family inet filter LoTest term tc1-bgp4 then accept set firewall family inet filter LoTest term tc3-icmp from source-address 2.1.1.5/32 set firewall family inet filter LoTest term tc3-icmp from protocol icmp set firewall family inet filter LoTest term tc3-icmp from icmp-type 11 set firewall family inet filter LoTest term tc3-icmp from icmp-code 1 set firewall family inet filter LoTest term tc3-icmp then count LoCount set firewall family inet filter LoTest term tc3-icmp then accept set firewall family inet filter LoTest term tc5-tcpSyn from source-address 2.1.1.7/32 set firewall family inet filter LoTest term tc5-tcpSyn from protocol tcp set firewall family inet filter LoTest term tc5-tcpSyn from tcp-flags syn set firewall family inet filter LoTest term tc5-tcpSyn then policer LoPolicer set firewall family inet filter LoTest term tc5-tcpSyn then count LoCount set firewall family inet filter LoTest term tc5-tcpSyn then accept set firewall family inet filter LoTest term tc6-snmp from source-address 2.1.1.8/32 set firewall family inet filter LoTest term tc6-snmp from protocol udp set firewall family inet filter LoTest term tc6-snmp from destination-port snmp set firewall family inet filter LoTest term tc6-snmp then count LoCount set firewall family inet filter LoTest term tc6-snmp then accept set firewall family inet filter LoTest term tc6-ntp from source-address 2.1.1.8/32 set firewall family inet filter LoTest term tc6-ntp from protocol udp set firewall family inet filter LoTest term tc6-ntp from destination-port ntp set firewall family inet filter LoTest term tc6-ntp then count LoCount set firewall family inet filter LoTest term tc6-ntp then accept set firewall family inet filter LoTest term tc6-dns from source-address 2.1.1.8/32 set firewall family inet filter LoTest term tc6-dns from protocol udp set firewall family inet filter LoTest term tc6-dns from destination-port domain set firewall family inet filter LoTest term tc6-dns then count LoCount set firewall family inet filter LoTest term tc6-dns then accept set firewall family inet filter LoTest term tc8-ipOptions from source-address 2.1.1.10/32 set firewall family inet filter LoTest term tc8-ipOptions from ip-options router-alert set firewall family inet filter LoTest term tc8-ipOptions then count LoCount set firewall family inet filter LoTest term tc8-ipOptions then accept set firewall family inet filter LoTest term tc9-icmp from source-address 2.1.1.11/32 set firewall family inet filter LoTest term tc9-icmp from protocol icmp set firewall family inet filter LoTest term tc9-icmp from icmp-type 11 set firewall family inet filter LoTest term tc9-icmp from icmp-code 1 set firewall family inet filter LoTest term tc9-icmp then policer LoPolicer set firewall family inet filter LoTest term tc9-icmp then count LoCount set firewall family inet filter LoTest term tc9-icmp then accept set firewall family inet filter LoTest term tc12-ospfv2 from source-address 2.1.1.13/32 set firewall family inet filter LoTest term tc12-ospfv2 from protocol ospf set firewall family inet filter LoTest term tc12-ospfv2 then count LoCount set firewall family inet filter LoTest term tc12-ospfv2 then accept set firewall family inet filter LoTest term tc13-ssh from source-address 2.1.1.14/32 set firewall family inet filter LoTest term tc13-ssh from protocol tcp set firewall family inet filter LoTest term tc13-ssh from destination-port ssh set firewall family inet filter LoTest term tc13-ssh then count LoCount set firewall family inet filter LoTest term tc13-ssh then discard set firewall family inet filter LoTest term tc14-pl from source-address 2.1.1.15/32 set firewall family inet filter LoTest term tc14-pl from packet-length 4000-9000 set firewall family inet filter LoTest term tc14-pl from protocol ospf set firewall family inet filter LoTest term tc14-pl then count LoCount set firewall family inet filter LoTest term tc14-pl then accept set firewall family inet filter LoTest term tc16-pl from source-address 2.1.1.17/32 set firewall family inet filter LoTest term tc16-pl from fragment-flags more-fragments set firewall family inet filter LoTest term tc16-pl from protocol ospf set firewall family inet filter LoTest term tc16-pl then count LoCount set firewall family inet filter LoTest term tc16-pl then discard set firewall family inet filter LoTest term tc17-ssh from source-address 2.1.1.18/32 set firewall family inet filter LoTest term tc17-ssh from destination-address 10.216.66.30/32 set firewall family inet filter LoTest term tc17-ssh from protocol tcp set firewall family inet filter LoTest term tc17-ssh from destination-port ssh set firewall family inet filter LoTest term tc17-ssh then count LoCount set firewall family inet filter LoTest term tc17-ssh then accept set firewall family inet filter LoTest term all then accept set firewall family inet6 filter LoTest6 interface-specific set firewall family inet6 filter LoTest6 term tc2-ospfv3 from source-address 2021::3/128 set firewall family inet6 filter LoTest6 term tc2-ospfv3 from next-header ospf set firewall family inet6 filter LoTest6 term tc2-ospfv3 then count LoCount6 set firewall family inet6 filter LoTest6 term tc2-ospfv3 then accept set firewall family inet6 filter LoTest6 term tc2-bgp4plus from source-address 2021::3/128 set firewall family inet6 filter LoTest6 term tc2-bgp4plus from next-header tcp set firewall family inet6 filter LoTest6 term tc2-bgp4plus from destination-port bgp set firewall family inet6 filter LoTest6 term tc2-bgp4plus then count LoCount6 set firewall family inet6 filter LoTest6 term tc2-bgp4plus then accept set firewall family inet6 filter LoTest6 term tc4-icmpv6 from source-address 2021::4/128 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from next-header icmp6 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from icmp-type 1 set firewall family inet6 filter LoTest6 term tc4-icmpv6 from icmp-code 0 set firewall family inet6 filter LoTest6 term tc4-icmpv6 then count LoCount6 set firewall family inet6 filter LoTest6 term tc4-icmpv6 then accept set firewall family inet6 filter LoTest6 term tc7-snmp from next-header udp set firewall family inet6 filter LoTest6 term tc7-snmp from destination-port snmp set firewall family inet6 filter LoTest6 term tc7-snmp then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-snmp then accept set firewall family inet6 filter LoTest6 term tc7-ntp from next-header udp set firewall family inet6 filter LoTest6 term tc7-ntp from destination-port ntp set firewall family inet6 filter LoTest6 term tc7-ntp then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-ntp then accept set firewall family inet6 filter LoTest6 term tc7-dns from next-header udp set firewall family inet6 filter LoTest6 term tc7-dns from destination-port domain set firewall family inet6 filter LoTest6 term tc7-dns then count LoCount6 set firewall family inet6 filter LoTest6 term tc7-dns then accept set firewall family inet6 filter LoTest6 term tc10-icmp from source-address 2021::7/128 set firewall family inet6 filter LoTest6 term tc10-icmp from next-header icmp6 set firewall family inet6 filter LoTest6 term tc10-icmp from icmp-type 1 set firewall family inet6 filter LoTest6 term tc10-icmp from icmp-code 0 set firewall family inet6 filter LoTest6 term tc10-icmp then policer LoPolicer set firewall family inet6 filter LoTest6 term tc10-icmp then count LoCount6 set firewall family inet6 filter LoTest6 term tc10-icmp then accept set firewall family inet6 filter LoTest6 term all then accept set firewall policer LoPolicer if-exceeding bandwidth-limit 22k set firewall policer LoPolicer if-exceeding burst-size-limit 20k set firewall policer LoPolicer then discard