[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring a Stateful Firewall Filter with a Configuration Editor

To configure a stateful firewall filter and NAT with a configuration editor, you do the following:

The example in this section shows how to create a stateful firewall filter and NAT with the rules described in Table 147.

Table 147: Sample Stateful Firewall Filter and NAT Rules

Rule

Type

Term or Terms

to-wan-rule

Output
  • app-term—Accepts packets from any of the applications defined by the JUNOS default group junos-algs-outbound application set.
  • accept-all-term—Accepts packets that do not match app-term.

from-wan-rule

Input
  • wan-src-addr-term—Accepts input packets with a source prefix of 192.168.33.0/24.
  • discard-all-term—Discards all packets.

nat-to-wan-rule

Output

private-public-term—Translates the source address to an address within the pool 10.148.2.1 through 10.148.2.32 and dynamically translates the source port to a router-assigned port by means of NAPT

The example also assigns the name public-pool to the NAT address pool and NAPT router-assigned port.

In addition, the example creates the service set wan-service-set that includes the stateful firewall filter and NAT services and defines sp-0/0/0 as its service interface. Finally, wan-service-set is applied to the WAN interface to the untrusted network, t1-0/0/0.

For stateful firewall match conditions and actions, see Summary of Stateful Firewall Filter and NAT Match Conditions and Actions.

To configure a stateful firewall filter and NAT and apply them to the WAN interface:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 148.
  3. To apply the stateful firewall filter and NAT to the interface, perform the configuration tasks described in Table 149.
  4. If you are finished configuring the router, commit the configuration.
  5. Go on to one of the following procedures:

Table 148: Configuring a Stateful Firewall Filter and NAT

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Stateful firewall level in the configuration hierarchy.

In the configuration editor hierarchy, select Services>Stateful firewall.

From the top of the configuration hierarchy, enter edit services stateful-firewall.

Define to-wan-rule and set its match direction.
  1. Next to Rule, click Add new entry.
  2. In the Rule name box, type to-wan-rule.
  3. From the Match direction list, select output.

Set the rule name, match direction, term name, and match condition:

set rule to-wan-rule match-direction output term app-term from application-sets junos-algs-outbound

Define app-term for the to-wan-rule rule.
  1. Next to Term, click Add new entry.
  2. In the Term name box, type app-term.

Define the match condition for app-term—the default junos-algs-outbound application set.
  1. Next to From, click Configure.
  2. Next to Application sets, click Add new entry.
  3. In the Application set name box, type junos-algs-outbound.
  4. Click OK twice.

Define an action for app-term.
  1. On the Term app-term page, next to Then, click Configure.
  2. In the Designation list, select Accept.
  3. Click OK twice.

Set the action:

set rule to-wan-rule term app-term then accept

Define accept-all-term for to-wan-rule.
  1. On the Rule to-wan-rule page, next to Term, click Add new entry.
  2. In the Term name box, type accept-all-term.

Set the term name and the action:

set rule to-wan-rule term accept-all-term then accept

Define an action for accept-all-term. The action is taken only if a packet does not match app-term.
  1. Next to Then, click Configure.
  2. From the Designation list, select Accept.
  3. Next to Accept, select the check box.
  4. Click OK three times.

Define from-wan-rule and set its match direction.
  1. On the Rule page, next to Rule, click Add new entry.
  2. In the Rule name box, type from-wan-rule.
  3. From the Match direction list, select input.

Set the rule name, match direction, term name, and the match condition:

set rule from-wan-rule match-direction input term wan-src-addr-term from source-address 192.168.33.0/24

Define wan-src-addr-term for the from-wan-rule rule.
  1. Next to Term, click Add new entry.
  2. In the Term name box, type wan-src-addr-term.

Define the match condition for wan-src-addr-term.
  1. Next to From, click Configure.
  2. Next to Source address, click Add new entry.
  3. From the Address list, select Enter Specific Value—>.
  4. In the Prefix box, type 192.168.33.0/24.
  5. Click OK twice.

Define an action for wan-src-addr-term.
  1. On the Term wan-src-addr-term page, next to Then, click Configure.
  2. In the Designation list, select Accept.
  3. Click OK twice.

Set the action:

set rule from-wan-rule term wan-src-addr-term then accept

Define discard-all-term for from-wan-rule.
  1. On the Rule from-wan-rule page, next to Term, click Add new entry.
  2. In the Term name box, type discard-all-term.

Set the term name and the action:

set rule from-wan-rule term discard-all-term then discard

Define an action for discard-all-term. The action is taken only if a packet does not match wan-src-addr-term.
  1. Next to Then, click Configure.
  2. From the Designation list, select Discard.
  3. Click OK three times.

Navigate to the Nat level in the configuration hierarchy.
  1. In the configuration editor hierarchy, select Services.
  2. Next to NAT, click Configure.

From the top of the configuration hierarchy, enter edit services nat.

Define the public-pool address pool name and range.
  1. Next to Pool, click Add new entry.
  2. In the Pool name box, type public-pool.
  3. From the Address choice list, select Address range.
  4. In the High box, type 10.148.2.32. In the Low box, 10.148.2.1.

Set the address pool name and the range:

set pool public-pool address-range low 10.148.2.1 high 10.148.2.32

Specify the NAT port pool to be automatically assigned by the router.
  1. Next to Port, click Configure.
  2. From the Port choice list, select Automatic.
  3. Click OK twice.

Configure the source port translation to be automatic:

set pool public-pool port automatic

Define nat-to-wan-rule and private-public-term.
  1. On the Nat page, next to Rule, click Add new entry.
  2. In the Rule name box, type nat-to-wan-rule.
  3. From the Match direction list, select output.
  4. Next to Term, select Add new entry.
  5. In the Term name box, type private-public-term.
  6. Next to Then, select Configure.
  7. Next to Translated, select Configure.
  8. In the Source pool box, type public-pool.

Set the rule name, match direction, term name, and the term's pool name:

set rule nat-to-wan-rule match-direction output term private-public-term then translated source-pool public-pool

Set the NAT port translation type for private-public-term.
  1. Next to Translation type, select the check box.
  2. Select Configure.
  3. From the Source list, select dynamic.
  4. Click OK five times.

Set the NAT translation type:

set rule nat-to-wan-rule match-direction output term private-public-term then translated translation-type source dynamic

Table 149: Applying a Stateful Firewall Filter and NAT to an Interface

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Services level in the configuration hierarchy.
  1. In the configuration editor hierarchy, select Services.

From the top of the configuration hierarchy, enter edit services.

Define wan-service-set and assign the stateful firewall filter rule to-wan-rule to the service set.
  1. Next to Service set, click Add new entry.
  2. In the Service set name box, type wan-service-set.
  3. From the Stateful firewall rules choice list, select Stateful firewall rules.
  4. Next to Stateful firewall rules, click Add new entry.
  5. In the Rule name box, type to-wan-rule.
  6. Click OK.

Define the service set and assign the rule:

set service-set wan-service-set stateful-firewall-rules to-wan-rule

Assign the stateful firewall filter rule from-wan-rule to the service set.
  1. Next to Stateful firewall rules, click Add new entry.
  2. In the Rule name box, type from-wan-rule.
  3. Click OK.

Define the service set and assign the rule:

set service-set wan-service-set stateful-firewall-rules from-wan-rule

Assign the NAT rule nat-to-wan-rule to the service set.
  1. From the Nat rules choice list, select Nat rules.
  2. Next to Nat rules, click Add new entry.
  3. In the Rule name box, type nat-to-wan-rule.
  4. Click OK.

Assign the rule to the service set:

set service-set wan-service-set nat-rules nat-to-wan-rule

Define the service set type and virtual interface sp–0/0/0 as the service interface for wan-service-set.
  1. From the Service type choice list, select Interface service.
  2. Next to Interface service, click Configure.
  3. In the Service interface box, type sp-0/0/0.
  4. Click OK.

Define the service set type and the service interface:

set service-set wan-service-set interface-service service-interface sp-0/0/0

Configure the sp–0/0/0 service interface.
  1. In the configuration editor hierarchy, select interfaces.
  2. Next to Interface, click Add new entry.
  3. In the Interface name box, type sp-0/0/0.
  4. Next to Unit, click Add new entry.
  5. In the Interface unit number box, type 0.
  6. Next to Inet, select the check box.
  7. Click Configure.
  8. Click OK.

From the top of the configuration hierarchy, configure the interface:

set interfaces sp-0/0/0 unit 0 family inet

From the Interfaces level of the configuration hierarchy, navigate to the Inet level of the T1 interface—the untrusted interface in this example—and apply wan-service-set to the input and output sides of the t1–0/0/0 interface.
  1. In the configuration editor hierarchy, select Interfaces>t1-0/0/0> Unit>0>Family>Inet.
  2. Next to Service, click Configure.
  3. Next to Input, click Configure.
  4. Next to Service set, click Add new entry.
  5. In the Service set name box, type wan-service-set.
  6. Click OK.
  7. Next to Output, click Configure.
  8. Next to Service set, click Add new entry.
  9. In the Service set name box, type wan-service-set.
  10. Click OK.

From the top of the configuration hierarchy, apply the service set to the interface:

set interfaces t1-0/0/0 unit 0 family inet service input service-set wan-service-set

set interfaces t1-0/0/0 unit 0 family inet service output service-set wan-service-set

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]