[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources

The following example shows how to create a stateless firewall filter, protect-RE, that discards all traffic destined for the Routing Engine, except SSH and BGP protocol packets from specified trusted sources. Table 97 lists the terms that are configured in this sample filter.

Table 97: Sample Stateless Firewall Filter protect-RE Terms to Allow Packets from Trusted Sources

Term

Purpose

ssh-term

Accepts TCP packets with a source address of 192.168.122.0/24 and a destination port that specifies SSH.

bgp-term

Accepts TCP packets with a source address of 10.2.1.0/24 and a destination port that specifies the BGP protocol.

discard-rest-term

For all packets that are not accepted by ssh-term or bgp-term, creates a firewall filter log and system logging records, then discards all packets. To view the log, enter the show firewall log operational mode command. (For more information, see Displaying Stateless Firewall Filter Logs.)

By applying firewall filter protect-RE to the Routing Engine, you specify which protocols and services, or applications, are allowed to reach the Routing Engine, and you ensure the packets are from a trusted source. This protects processes running on the Routing Engine from an external attack.

To use the configuration editor to configure the stateless firewall filter:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
  2. Perform the configuration tasks described in Table 98.
  3. If you are finished configuring the router, commit the configuration.
  4. Go on to one of the following procedures:

Table 98: Configuring a Protocols and Services Firewall Filter for the Routing Engine

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Firewall level in the configuration hierarchy.
  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Firewall, click Configure or Edit.

From the [edit] hierarchy level, enter

edit firewall

Define protect-RE and ssh-term, and define the protocol, destination port, and source address match conditions.
  1. Next to Filter, click Add new entry.
  2. In the Filter name box, type protect-RE.
  3. Next to Term, click Add New Entry.
  4. In the Rule name box, type ssh-term.
  5. Next to From, click Configure.
  6. In the Protocol choice list, select Protocol.
  7. Next to Protocol, click Add new entry.
  8. In the Value keyword list, select tcp.
  9. Click OK.
  10. In the Destination port choice list, select Destination port.
  11. Next to Destination port, click Add new entry.
  12. In the Value keyword list, select ssh.
  13. Click OK.
  14. Next to Source address, click Add new entry.
  15. In the Address box, type 192.168.122.0/24.
  16. Click OK twice.

Set the term name and define the match conditions:

set family inet filter protect-RE term ssh-term from protocol tcp destination-port ssh source-address 192.168.122.0/24

Define the actions for ssh-term.
  1. On the Term ssh-term page, next to Then, click Configure.
  2. In the Designation list, select Accept.
  3. Click OK twice.

Set the actions:

set family inet filter protect-RE term ssh-term then accept

Define bgp-term, and define the protocol, destination port, and source address match conditions.
  1. On the Filter protect-RE page, next to Term, click Add New Entry.
  2. In the Rule name box, type bgp-term.
  3. Next to From, click Configure.
  4. In the Protocol choice list, select Protocol.
  5. Next to Protocol, click Add new entry.
  6. In the Value keyword list, select tcp.
  7. Click OK.
  8. In the Destination port choice list, select Destination port.
  9. Next to Destination port, click Add new entry.
  10. In the Value keyword list, select bgp.
  11. Click OK.
  12. Next to Source address, click Add new entry.
  13. In the Address box, type 10.2.1.0/24.
  14. Click OK twice.

Set the term name and define the match conditions:

set family inet filter protect-RE term bgp-term from protocol tcp destination-port bgp source-address 10.2.1.0/24

Define the action for bgp-term.
  1. On the Term bgp-term page, next to Then, click Configure.
  2. In the Designation list, select Accept.
  3. Click OK twice.

Set the action:

set family inet filter protect-RE term bgp-term then accept

Define discard-rest-term and its action.
  1. On the Filter protect-RE page, next to Term, click Add New Entry.
  2. In the Rule name box, type discard-rest-term.
  3. Next to Then, click Configure.
  4. Next to Log, select the check box.
  5. Next to Syslog, select the check box.
  6. In the Designation list, select Discard.
  7. Click OK four times.

Set the term name and define its actions:

set family inet filter protect-RE term discard-rest-term then log syslog discard

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]