[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Verifying Stateless Firewall Filter Configuration

To verify a stateless firewall filter configuration, perform these tasks:

Displaying Stateless Firewall Filter Configurations

Purpose

Verify the configuration of the firewall filter. You can analyze the flow of the filter terms by displaying the entire configuration.

Action

From the J-Web interface, select Configuration>View and Edit>View Configuration Text. Alternatively, from configuration mode in the CLI, enter the show firewall command.

The sample output in this section displays the following firewall filters (in order):

Stateless protect-RE filter configured in Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources
Stateless protect-RE filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods
Stateless fragment-RE filter configured in Configuring a Routing Engine Firewall Filter to Handle Fragments




[edit]

user@host# show firewall



firewall {




family inet {




filter protect-RE {




term ssh-term {




from {




source-address {

192.168.122.0/24;

}




protocol tcp;

destination-port ssh;

}




then accept;

}







term bgp-term {




from {




source-address {

10.2.1.0/24;

}




protocol tcp;

destination-port bgp;

}




then accept;

}







term discard-rest-term {




then {

log;

syslog;

discard;

}




}




}




}




}





 


[edit]

user@host# show firewall



firewall {




policer tcp-connection-policer {

filter-specific;




if-exceeding {

bandwidth-limit 500k;

burst-size-limit 15k;

}




then discard;

}







policer icmp-policer {

filter-specific;




if-exceeding {

bandwidth-limit 1m;

burst-size-limit 15k;

}




then discard;

}







family inet {




filter protect-RE {




term tcp-connection-term {




from {




source-prefix-list {

trusted-addresses;

}




protocol tcp;

tcp-flags “(syn & !ack) | fin | rst”;

}







then {

policer tcp-connection-policer;

accept;

}




}







term icmp-term {




from {

protocol icmp;

icmp-type [ echo-request echo-reply unreachable time-exceeded
];

}







then {

policer icmp-policer;

count icmp-counter;

accept;

}




}





additional terms...

}




}




}





 


[edit]

user@host# show firewall



firewall {




family inet {




filter fragment-RE {




term small-offset-term {




from {

fragment-offset 1-5;

}







then {

syslog;

discard;

}




}







term not-fragmented-term {




from {




source-address {

10.2.1.0/24;

}




fragment-offset 0;

fragment-flags 0x0;

protocol tcp;

destination-port bgp;

}




then accept;

}







term first-fragment-term {




from {




source-address {

10.2.1.0/24;

}




first-fragment;

protocol tcp;

destination-port bgp;

}




then accept;

}







term fragment-term {




from {

fragment-offset 6-8191;

}




then accept;

}





additional terms ...


}




}




}

What it Means

Verify that the output shows the intended configuration of the firewall filter.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Purpose

Verify that packets are being logged. If you included the log or syslog action in a term, verify that packets matching the term are recorded in the firewall log or your system logging facility.

Action

From operational mode in the CLI, enter the show firewall log command.

The log of discarded packets generated from the stateless firewall filter configured in Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources is displayed in the following sample output.

user@host> show firewall log

Log :
Time      Filter    Action Interface     Protocol Src Addr      Dest Addr
15:11:02  pfe       D      ge-0/0/0.0    TCP      172.17.28.19  192.168.70.71
15:11:01  pfe       D      ge-0/0/0.0    TCP      172.17.28.19  192.168.70.71
15:11:01  pfe       D      ge-0/0/0.0    TCP      172.17.28.19  192.168.70.71
15:11:01  pfe       D      ge-0/0/0.0    TCP      172.17.28.19  192.168.70.71
...

What it Means

Each record of the output contains information about the logged packet. Verify the following information:

Under Time, the time of day the packet was filtered is shown.
The Filter output is always pfe.
Under Action, the configured action of the term matches the action taken on the packet—A (accept), D (discard), R (reject).
Under Interface, the inbound (ingress) interface on which the packet arrived is appropriate for the filter.
Under Protocol, the protocol in the IP header of the packet is appropriate for the filter.
Under Src Addr, the source address in the IP header of the packet is appropriate for the filter.
Under Dest Addr, the destination address in the IP header of the packet is appropriate for the filter.

Purpose

Verify that packets are being policed and counted.

Action

From operational mode in the CLI, enter the show firewall filter filter-name command.

The value of the counter, icmp-counter, and the number of packets discarded by the policers in the stateless firewall filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods are displayed in the following sample output.

user@host> show firewall filter protect-RE

Filter: protect-RE                                                  
Counters:
Name                                                Bytes              Packets
icmp-counter                                      1040000                 5600
Policers:
Name                                              Packets 
tcp-connection-policer                          643254873
icmp-policer                                         7391

What it Means

Verify the following information:

Next to Filter, the name of the firewall filter is correct.
Under Counters:
- Under Name, the names of any counters configured in the firewall filter are correct.
- Under Bytes, the number of bytes that match the filter term containing the count counter-name action are shown.
- Under Packets, the number of packets that match the filter term containing the count counter-name action are shown.
Under Policers:
- Under Name, the names of any policers configured in the firewall filter are correct.
- Under Packets, the number of packets that match the conditions specified for the policer are shown.

Purpose

Verify the stateless firewall filter configured in Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources.

Action

To verify that the actions of the firewall filter terms are taken, send packets to the Services Router that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.

Use the ssh host-name command from a host at an IP address that matches 192.168.122.0/24 to verify that you can log in to the Services Router using only SSH from a host with this address prefix.
Use the show route summary command to verify that the routing table on the Services Router does not contain any entries with a protocol other than Direct, Local, BGP, or Static.

% ssh 192.168.249.71

%ssh host
user@host's password: 
--- JUNOS 6.4-20040518.0 (JSERIES) #0: 2004-05-18 09:27:50 UTC

user@host>

user@host> show route summary

Router ID: 192.168.249.71

inet.0: 34 destinations, 34 routes (33 active, 0 holddown, 1 hidden)
              Direct:     10 routes,      9 active
               Local:      9 routes,      9 active
                 BGP:     10 routes,     10 active
              Static:      5 routes,      5 active
...

What it Means

Verify the following information:

You can successfully log in to the Services Router using SSH.
The show route summary command does not display a protocol other than Direct, Local, BGP, or Static.

Purpose

Verify the stateless firewall filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods.

Action

Verify that the Services Router can establish only TCP sessions with a host at an IP address that matches 192.168.122.0/24 or 10.2.1.0/24. For example, log in to the router with the telnet host-name command from another host with one of these address prefixes.
Use the ping host-name command to verify that the Services Router responds only to ICMP packets (such as ping requests) that do not exceed the policer traffic rates.
Use the ping host-name size bytes command to exceed the policer traffic rates by sending ping requests with large data payloads.

user@host> telnet 192.168.249.71

Trying 192.168.249.71...
Connected to host.acme.net.
Escape character is '^]'.

host (ttyp0)

login: user
Password:

--- JUNOS 6.4-20040521.1 built 2004-05-21 09:38:12 UTC

user@host>

user@host> ping 192.168.249.71

PING host-ge-000.acme.net (192.168.249.71): 56 data bytes
64 bytes from 192.168.249.71: icmp_seq=0 ttl=253 time=11.946 ms
64 bytes from 192.168.249.71: icmp_seq=1 ttl=253 time=19.474 ms
64 bytes from 192.168.249.71: icmp_seq=2 ttl=253 time=14.639 ms
...

user@host> ping 192.168.249.71 size
20000

PING host-ge-000.acme.net (192.168.249.71): 20000 data bytes
^C
--- host-ge-000.acme.net ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

What it Means

Verify the following information:

You can successfully log in to the Services Router using Telnet.
The Services Router sends responses to the ping host command.
The Services Router does not send responses to the ping host size 20000 command.

Purpose

Verify the firewall filter configured in Configuring a Routing Engine Firewall Filter to Handle Fragments.

Action

Verify that packets with small fragment offsets are recorded in the router's system logging facility.
Use the show route summary command to verify that the routing table does not contain any entries with a protocol other than Direct, Local, BGP, or Static.

user@host> show route summary

Router ID: 192.168.249.71

inet.0: 34 destinations, 34 routes (33 active, 0 holddown, 1 hidden)
              Direct:     10 routes,      9 active
               Local:      9 routes,      9 active
                 BGP:     10 routes,     10 active
              Static:      5 routes,      5 active
...

What it Means

Verify that the show route summary command does not display a protocol other than Direct, Local, BGP, or Static.

Verifying Stateless Firewall Filter Configuration

Purpose

Action

What it Means

See Also

Purpose

Action

What it Means

See Also

Purpose

Action

What it Means

See Also

Purpose

Action

What it Means

See Also

Purpose

Action

What it Means

See Also

Purpose

Action

What it Means

See Also