[Contents] [Prev] [Next] [Index] [Report an Error]

Verifying Firewall Filter Configuration

To verify a firewall filter configuration, perform these tasks:

Displaying Firewall Filter Configurations

Purpose

Verify the configuration of the firewall filter. You can analyze the flow of the firewall filter terms by displaying the entire configuration.

Action

From the J-Web interface, select Configuration>View and Edit>View Configuration Text. Alternatively, from configuration mode in the CLI, enter the show services or show firewall command for stateful and stateless firewall filters.

The sample output in this section displays the following firewall filters (in order):

Stateful firewall filter and NAT configured in Configuring a Stateful Firewall Filter with a Configuration Editor
Stateless protect-RE filter configured in Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources
Stateless protect-RE filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods
Stateless fragment-RE filter configured in Configuring a Routing Engine Firewall Filter to Handle Fragments

Sample Output




[edit]

user@host# show services



stateful-firewall




rule to-wan-rule {

match-direction output;




term app-term {




from {

application-sets junos-algs-outbound;

}







then {

accept;

}




}







term accept-all-term {




then {

accept;

}




}




}







rule from-wan-rule {

match-direction input;




term wan-src-addr-term {




from {




source-address {

192.168.33.0/24;

}




}







then {

accept;

}




}







term discard-all-term {




then {

discard;

}




}




}




}



nat {




pool public-pool {

address-range low 10.148.2.1 high 10.148.2.32;

port automatic;

}







rule nat-to-wan-rule {

match-direction output;




term private-public-term {




then {




translated {

source-pool public-pool;

translation-type source dynamic;

}




}




}




}




}



service-set wan-service-set {

stateful-firewall-rules to-wan-rule;

stateful-firewall-rules from-wan-rule;

nat-rules nat-to-wan-rule;




interface-service {

service-interface sp-0/0/0;

}




}





 


[edit]

user@host# show firewall



firewall {




family inet {




filter protect-RE {




term ssh-term {




from {




source-address {

192.168.122.0/24;

}




protocol tcp;

destination-port ssh;

}




then accept;

}







term bgp-term {




from {




source-address {

10.2.1.0/24;

}




protocol tcp;

destination-port bgp;

}




then accept;

}







term discard-rest-term {




then {

log;

syslog;

discard;

}




}




}




}




}





 


[edit]

user@host# show firewall



firewall {




policer tcp-connection-policer {

filter-specific;




if-exceeding {

bandwidth-limit 500k;

burst-size-limit 15k;

}




then discard;

}







policer icmp-policer {

filter-specific;




if-exceeding {

bandwidth-limit 1m;

burst-size-limit 15k;

}




then discard;

}







family inet {




filter protect-RE {




term tcp-connection-term {




from {




source-prefix-list {

trusted-addresses;

}




protocol tcp;

tcp-flags “(syn & !ack) | fin | rst”;

}







then {

policer tcp-connection-policer;

accept;

}




}







term icmp-term {




from {

protocol icmp;

icmp-type [ echo-request echo-reply unreachable time-exceeded ];

}







then {

policer icmp-policer;

count icmp-counter;

accept;

}




}





additional terms...

}




}




}





 


[edit]

user@host# show firewall



firewall {




family inet {




filter fragment-RE {




term small-offset-term {




from {

fragment-offset 1-5;

}







then {

syslog;

discard;

}




}







term not-fragmented-term {




from {




source-address {

10.2.1.0/24;

}




fragment-offset 0;

fragment-flags 0x0;

protocol tcp;

destination-port bgp;

}




then accept;

}







term first-fragment-term {




from {




source-address {

10.2.1.0/24;

}




first-fragment;

protocol tcp;

destination-port bgp;

}




then accept;

}







term fragment-term {




from {

fragment-offset 6-8191;

}




then accept;

}





additional terms ...


}




}




}

What it Means

Verify that the output shows the intended configuration of the firewall filter. For more information about the format of a configuration file, see Viewing the Configuration Text.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command. For more information, see Inserting an Identifier.

Verifying a Stateful Firewall Filter

Purpose

Verify the firewall filter configured in Configuring a Stateful Firewall Filter with a Configuration Editor.

Action

To verify that the actions of the firewall filter terms are taken, send packets to and from the untrusted network that match the terms. In addition, verify that actions are not taken for packets that do not match.

Send packets—associated with the junos-algs-outbound application set—from a host in the trusted network to a host in the untrusted network. Verify that packets received from the host in the untrusted network are responses only to the session originated by the host in the trusted network. To ensure that packets from the host are not accepted because of rule from-wan-rule, do not send packets to the host in the untrusted network with an IP address that matches 192.168.33.0/24.
For example, send a ping request from host trusted-nw-trusted-host to host untrusted-nw-untrusted-host, and verify that a ping response is returned. Ping requests and responses use ICMP, which belongs to the junos-algs-outbound application set.

To view the configuration of junos-algs-outbound, enter the show groups junos-defaults applications application-set junos-algs-outbound configuration mode command.
Send packets from a host in the untrusted network to a host in the trusted network. Verify that the host in the trusted network receives packets only from the host in the untrusted network with an IP address that matches 192.168.33.0/24.
For example, send a ping request from host untrusted-nw-trusted-host with an IP address that matches 192.168.33.0/24 to host trusted-nw-trusted-host, and verify that a ping response is returned.

Verify that the ping response displays an IP address from the configured NAT pool.

Sample Output

user@trusted-nw-trusted-host> ping untrusted-nw-untrusted-host

PING untrusted-nw-untrusted-host.acme.net (172.69.13.5): 56 data bytes
64 bytes from 192.169.13.5: icmp_seq=0 ttl=22 time=8.238 ms
64 bytes from 192.169.13.5: icmp_seq=1 ttl=22 time=9.116 ms
64 bytes from 192.169.13.5: icmp_seq=2 ttl=22 time=10.875 ms
...

user@untrusted-nw-trusted-host> ping trusted-nw-trusted-host

PING trusted-nw-trusted-host-fe-000.acme.net (112.148.2.3): 56 data bytes
64 bytes from 10.148.2.3: icmp_seq=0 ttl=253 time=18.248 ms
64 bytes from 10.148.2.3: icmp_seq=1 ttl=253 time=10.906 ms
64 bytes from 10.148.2.3: icmp_seq=2 ttl=253 time=12.845 ms
...

What it Means

Verify the following information:

A ping request from host trusted-nw-trusted-host returns a ping response from host untrusted-nw-untrusted-host.
A ping request from host untrusted-nw-trusted-host returns a ping response from host trusted-nw-trusted-host. Verify that the ping response displays an IP address from the configured NAT pool of 10.148.2.1 through 10.148.2.32.

For information about using the J-Web interface to ping a host, see the J-series Services Router Administration Guide.

For more information about the ping command, see the J-series Services Router Administration Guide or the JUNOS Protocols, Class of Service, and System Basics Command Reference.

Displaying Firewall Filter Logs

Purpose

Verify that packets are being logged. If you included the log or syslog action in a term, verify that packets matching the term are recorded in the firewall log or your system logging facility.

Action

From operational mode in the CLI, enter the show firewall log command.

The log of discarded packets generated from the firewall filter configured in Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources is displayed in the following sample output.

Sample Output

user@host> show firewall log

Log :
Time      Filter    Action Interface     Protocol Src Addr      Dest Addr
15:11:02  pfe       D      fe-0/0/0.0    TCP      172.17.28.19  192.168.70.71
15:11:01  pfe       D      fe-0/0/0.0    TCP      172.17.28.19  192.168.70.71
15:11:01  pfe       D      fe-0/0/0.0    TCP      172.17.28.19  192.168.70.71
15:11:01  pfe       D      fe-0/0/0.0    TCP      172.17.28.19  192.168.70.71
...

What it Means

Each record of the output contains information about the logged packet. Verify the following information:

Under Time, the time of day the packet was filtered is shown.
The Filter output is always pfe.
Under Action, the configured action of the term matches the action taken on the packet—A (accept), D (discard), R (reject).
Under Interface, the inbound (ingress) interface on which the packet arrived is appropriate for the filter.
Under Protocol, the protocol in the IP header of the packet is appropriate for the filter.
Under Src Addr, the source address in the IP header of the packet is appropriate for the filter.
Under Dest Addr, the destination address in the IP header of the packet is appropriate for the filter.

For more information about the show firewall log command, see the JUNOS Protocols, Class of Service, and System Basics Command Reference.

Displaying Firewall Filter Statistics

Purpose

Verify that packets are being policed and counted.

Action

From operational mode in the CLI, enter the show firewall filter filter-name command.

The value of the counter, icmp-counter, and the number of packets discarded by the policers in the firewall filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods are displayed in the following sample output.

Sample Output

user@host> show firewall filter protect-RE

Filter: protect-RE                                                  
Counters:
Name                                                Bytes              Packets
icmp-counter                                      1040000                 5600
Policers:
Name                                              Packets 
tcp-connection-policer                          643254873
icmp-policer                                         7391

What it Means

Verify the following information:

Next to Filter, the name of the firewall filter is correct.
Under Counters:
- Under Name, the names of any counters configured in the firewall filter are correct.
- Under Bytes, the number of bytes that match the filter term containing the count counter-name action are shown.
- Under Packets, the number of packets that match the filter term containing the count counter-name action are shown.
Under Policers:
- Under Name, the names of any policers configured in the firewall filter are correct.
- Under Packets, the number of packets that match the conditions specified for the policer are shown.

For more information about the show firewall filter command, see the JUNOS Protocols, Class of Service, and System Basics Command Reference.

Verifying a Services, Protocols, and Trusted Sources Firewall Filter

Purpose

Verify the firewall filter configured in Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources.

Action

To verify that the actions of the firewall filter terms are taken, send packets to the Services Router that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.

Use the ssh host-name command from a host at an IP address that matches 192.168.122.0/24 to verify that you can log in to the Services Router using only SSH from a host with this address prefix.
Use the show route summary command to verify that the routing table on the Services Router does not contain any entries with a protocol other than Direct, Local, BGP, or Static.

Sample Output

% ssh 192.168.249.71

%ssh host
user@host's password: 
--- JUNOS 6.4-20040518.0 (JSERIES) #0: 2004-05-18 09:27:50 UTC

user@host>

user@host> show route summary

Router ID: 192.168.249.71

inet.0: 34 destinations, 34 routes (33 active, 0 holddown, 1 hidden)
              Direct:     10 routes,      9 active
               Local:      9 routes,      9 active
                 BGP:     10 routes,     10 active
              Static:      5 routes,      5 active
...

What it Means

Verify the following information:

You can successfully log in to the Services Router using SSH.
The show route summary command does not display a protocol other than Direct, Local, BGP, or Static.

For more information about the show route summary command, see the JUNOS Protocols, Class of Service, and System Basics Command Reference.

Verifying a TCP and ICMP Flood Firewall Filter

Purpose

Verify the firewall filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods.

Action

Verify that the Services Router can establish only TCP sessions with a host at an IP address that matches 192.168.122.0/24 or 10.2.1.0/24. For example, log in to the router with the telnet host-name command from another host with one of these address prefixes.
Use the ping host-name command to verify that the Services Router responds only to ICMP packets (such as ping requests) that do not exceed the policer traffic rates.
Use the ping host-name size bytes command to exceed the policer traffic rates by sending ping requests with large data payloads.

Sample Output

user@host> telnet 192.168.249.71

Trying 192.168.249.71...
Connected to host.acme.net.
Escape character is '^]'.

host (ttyp0)

login: user
Password:

--- JUNOS 6.4-20040521.1 built 2004-05-21 09:38:12 UTC

user@host>

user@host> ping 192.168.249.71

PING host-fe-000.acme.net (192.168.249.71): 56 data bytes
64 bytes from 192.168.249.71: icmp_seq=0 ttl=253 time=11.946 ms
64 bytes from 192.168.249.71: icmp_seq=1 ttl=253 time=19.474 ms
64 bytes from 192.168.249.71: icmp_seq=2 ttl=253 time=14.639 ms
...

user@host> ping 192.168.249.71 size 20000

PING host-fe-000.acme.net (192.168.249.71): 20000 data bytes
^C
--- host-fe-000.acme.net ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

What it Means

Verify the following information:

You can successfully log in to the Services Router using Telnet.
The Services Router sends responses to the ping host command.
The Services Router does not send responses to the ping host size 20000 command.

For more information about the ping command, see the J-series Services Router Administration Guide or the JUNOS Protocols, Class of Service, and System Basics Command Reference.

For information about using the J-Web interface to ping a host, see the J-series Services Router Administration Guide.

For more information about the telnet command, see the J-series Services Router Administration Guide or the JUNOS Protocols, Class of Service, and System Basics Command Reference.

Verifying a Firewall Filter That Handles Fragments

Purpose

Verify the firewall filter configured in Configuring a Routing Engine Firewall Filter to Handle Fragments.

Action

Verify that packets with small fragment offsets are recorded in the router's system logging facility.
Use the show route summary command to verify that the routing table does not contain any entries with a protocol other than Direct, Local, BGP, or Static.

Sample Output

user@host> show route summary

Router ID: 192.168.249.71

inet.0: 34 destinations, 34 routes (33 active, 0 holddown, 1 hidden)
              Direct:     10 routes,      9 active
               Local:      9 routes,      9 active
                 BGP:     10 routes,     10 active
              Static:      5 routes,      5 active
...

What it Means

Verify that the show route summary command does not display a protocol other than Direct, Local, BGP, or Static. For more information about the show route summary command, see the JUNOS Protocols, Class of Service, and System Basics Command Reference.

[Contents] [Prev] [Next] [Index] [Report an Error]