[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a Routing Engine Firewall Filter to Handle Fragments

The procedure in this section creates a sample stateless firewall filter, fragment-RE, that handles fragmented packets destined for the Routing Engine. By applying fragment-RE to the Routing Engine, you protect against the use of IP fragmentation as a means to disguise TCP packets from a firewall filter.

Table 102 lists the terms that are configured in this sample filter.

Table 102: Sample Stateless Firewall Filter fragment-RE Terms

Term

Purpose

small-offset-term

Discards IP packets with a fragment offset of 1 through 5, and adds a record to the system logging facility.

not-fragmented-term

Accepts unfragmented TCP packets with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol. A packet is considered unfragmented if its MF flag and its fragment offset in the TCP header equal 0.

first-fragment-term

Accepts the first fragment of a fragmented TCP packet with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol.

fragment-term

Accepts all packet fragments with an offset of 6 through 8191.

For example, consider an IP packet that is fragmented into the smallest allowable fragment size of 8 bytes (a 20-byte IP header plus an 8-byte payload). If this IP packet carries a TCP packet, the first fragment (fragment offset of 0) that arrives at the Services Router contains only the TCP source and destination ports (first 4 bytes), and the sequence number (next 4 bytes). The TCP flags, which are contained in the next 8 bytes of the TCP header, arrive in the second fragment (fragment offset of 1). The fragment-RE filter works as follows:

For more information about IP fragment filtering, see RFC 1858, Security Considerations for IP Fragment Filtering.

To use the configuration editor to configure the stateless firewall filter:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. To configure the firewall filter, perform the configuration tasks described in Table 103.
  3. If you are finished configuring the router, commit the configuration.
  4. Go on to one of the following procedures:

Table 103: Configuring a Fragments Firewall Filter for the Routing Engine

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Firewall level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Firewall, click Configure or Edit.

From the [edit] hierarchy level, enter

edit firewall

Define fragment-RE and small-offset-term, and define the fragment offset match condition.

The fragment offset can be from 1 through 8191.
  1. Next to Filter, click Add new entry.
  2. In the Filter name box, type fragment-RE.
  3. Next to Term, click Add New Entry.
  4. In the Rule name box, type small-offset-term.
  5. Next to From, click Configure.
  6. In the Fragment offset choice list, select Fragment offset.
  7. Next to Fragment offset, select Add New Entry.
  8. In the Range box, type 1-5.
  9. Click OK twice.

Set the term name and define the fragment offset match condition:

set family inet filter fragment-RE term small-offset-term from fragment-offset 1-5

Define the action for small-offset-term.
  1. On the Term small-offset-term page, next to Then, click Configure.
  2. Next to Syslog, select the check box.
  3. In the Designation list, select Discard.
  4. Click OK twice.

Set the action:

set family inet filter fragment-RE term small-offset-term then syslog discard

Define not-fragmented-term, and define the fragment, protocol, destination port, and source address match conditions.
  1. On the Filter fragment-RE page, next to Term, click Add New Entry.
  2. In the Term name box, type not-fragmented-term.
  3. Next to From, click Configure.
  4. In the Fragment flags box, type 0x0.
  5. In the Fragment offset choice list, select Fragment offset.
  6. Next to Fragment offset, select Add New Entry.
  7. In the Range box, type 0.
  8. Click OK.
  9. In the Protocol choice list, select Protocol.
  10. Next to Protocol, click Add new entry.
  11. In the Value keyword list, select tcp.
  12. Click OK.
  13. In the Destination port choice list, select Destination port.
  14. Next to Destination port, click Add new entry.
  15. In the Value keyword list, select bgp.
  16. Click OK.
  17. Next to Source address, click Add new entry.
  18. In the Address box, type 10.2.1.0/24.
  19. Click OK twice.

Set the term name and define match conditions:

set family inet filter fragment-RE term not-fragmented-term from fragment-flags 0x0 fragment-offset 0 protocol tcp destination-port bgp source-address 10.2.1.0/24

Define the action for not-fragmented-term.
  1. On the Term not-fragmented-term page, next to Then, click Configure.
  2. In the Designation list, select Accept.
  3. Click OK twice.

Set the action:

set family inet filter fragment-RE term not-fragmented-term then accept

Define first-fragment-term, and define the fragment, protocol, destination port, and source address match conditions.
  1. On the Filter fragment-RE page, next to Term, click Add New Entry.
  2. In the Rule name box, type first-fragment-term.
  3. Next to From, click Configure.
  4. Next to First fragment, select the check box.
  5. In the Protocol choice list, select Protocol.
  6. Next to Protocol, click Add new entry.
  7. In the Value keyword list, select tcp.
  8. Click OK.
  9. In the Destination port choice list, select Destination port.
  10. Next to Destination port, click Add new entry.
  11. In the Value keyword list, select bgp.
  12. Click OK.
  13. Next to Source address, click Add new entry.
  14. In the Address box, type 10.2.1.0/24.
  15. Click OK twice.

Set the term name and define match conditions:

set family inet filter fragment-RE term first-fragment-term from first-fragment protocol tcp destination-port bgp source-address 10.2.1.0/24

Define the action for first-fragment-term.
  1. On the Term first-fragment-term page, next to Then, click Configure.
  2. In the Designation list, select Accept.
  3. Click OK twice.

Set the action:

set family inet filter fragment-RE term first-fragment-term then accept

Define fragment-term and define the fragment match condition.
  1. On the Filter fragment-RE page, next to Term, click Add New Entry.
  2. In the Rule name box, type fragment-term.
  3. Next to From, click Configure.
  4. In the Fragment offset choice list, select Fragment offset.
  5. Next to Fragment offset, select Add New Entry.
  6. In the Range box, type 6-8191.
  7. Click OK twice.

Set the term name and define match conditions:

set family inet filter fragment-RE term fragment-term from fragment-offset 6–8191

Define the action for fragment-term.
  1. On the Term fragment-term page, next to Then, click Configure.
  2. In the Designation list, select Accept.
  3. Click OK four times.

Set the action:

set family inet filter fragment-RE term fragment-term then accept

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]