[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a Stateful Firewall Filter with a Configuration Editor

To configure a stateful firewall filter and NAT with a configuration editor, you do the following:

Define the stateful firewall filter output and input rules. You must define an output rule that allows all traffic (application and nonapplication) to flow from the trusted network to the untrusted network.
To define the match condition in the term that allows application traffic to flow from the trusted network to the untrusted network, we recommend you specify the JUNOS default group junos-algs-outbound as the application set. To view the configuration of this group, enter the show groups junos-defaults applications application-set junos-algs-outbound configuration mode command. For more information about JUNOS default groups, see the JUNOS CLI User Guide.

You also must define an input rule to discard all traffic from the untrusted network that is not a response to a session originated by the trusted network.
Define an address pool and port pool for NAT.
Define NAT input and output rules.
Define a service set that includes all stateful firewall filter and NAT rules and the service interface. You must specify the service interface as sp-0/0/0. This service interface is a virtual interface that must be included at the [edit interfaces] hierarchy level to support stateful firewall filter and NAT services.
Finally, apply the service set to any interfaces on the Services Router that lead to or from the untrusted network.

Note: Do not apply the service set to the sp-0/0/0 interface.

The example in this section shows how to create a stateful firewall filter and NAT with the rules described in Table 97.

Table 97: Sample Stateful Firewall Filter and NAT Rules

Rule	Type	Term or Terms
to-wan-rule	Output	app-term—Accepts packets from any of the applications defined by the JUNOS default group junos-algs-outbound application set. accept-all-term—Accepts packets that do not match app-term.
from-wan-rule	Input	wan-src-addr-term—Accepts input packets with a source prefix of 192.168.33.0/24. discard-all-term—Discards all packets.
nat-to-wan-rule	Output	private-public-term—Translates the source address to an address within the pool 10.148.2.1 through 10.148.2.32 and dynamically translates the source port to a router-assigned port by means of NAPT

The example also assigns the name public-pool to the NAT address pool and NAPT router-assigned port.

In addition, the example creates the service set wan-service-set that includes the stateful firewall filter and NAT services and defines sp-0/0/0 as its service interface. Finally, wan-service-set is applied to the WAN interface to the untrusted network, t1-0/0/0.

For stateful firewall match conditions, see Stateful Firewall Filter Match Conditions and for stateful firewall actions, see Stateful Firewall Filter Actions.

To configure a stateful firewall filter and NAT and apply them to the WAN interface:

Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor.
Perform the configuration tasks described in Table 98.
To apply the stateful firewall filter and NAT to the interface, perform the configuration tasks described in Table 99.
If you are finished configuring the router, commit the configuration.
Go on to one of the following procedures:
- To display the configuration, see Displaying Stateful Firewall Filter Configurations.
- To verify the stateful firewall filter, see Verifying a Stateful Firewall Filter.

Table 98: Configuring a Stateful Firewall Filter and NAT

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Stateful firewall level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Services, click Configure or Edit. Next to Stateful firewall, click Configure or Edit.	From the [edit] hierarchy level, enter edit services stateful-firewall.
Define to-wan-rule and set its match direction.	Next to Rule, click Add new entry. In the Rule name box, type to-wan-rule. From the Match direction list, select output.	Set the rule name, match direction, term name, and match condition: set rule to-wan-rule match-direction output term app-term from application-sets junos-algs-outbound
Define app-term for the to-wan-rule rule.	Next to Term, click Add new entry. In the Term name box, type app-term.
Define the match condition for app-term—the default junos-algs-outbound application set.	Next to From, click Configure. Next to Application sets, click Add new entry. In the Application set name box, type junos-algs-outbound. Click OK twice.
Define an action for app-term.	On the Term app-term page, next to Then, click Configure. In the Designation list, select Accept. Click OK twice.	Set the action: set rule to-wan-rule term app-term then accept
Define accept-all-term for to-wan-rule.	On the Rule to-wan-rule page, next to Term, click Add new entry. In the Term name box, type accept-all-term.	Set the term name and the action: set rule to-wan-rule term accept-all-term then accept
Define an action for accept-all-term. The action is taken only if a packet does not match app-term.	Next to Then, click Configure. From the Designation list, select Accept. Next to Accept, select the check box. Click OK three times.
Define from-wan-rule and set its match direction.	On the Rule page, next to Rule, click Add new entry. In the Rule name box, type from-wan-rule. From the Match direction list, select input.	Set the rule name, match direction, term name, and the match condition: set rule from-wan-rule match-direction input term wan-src-addr-term from source-address 192.168.33.0/24
Define wan-src-addr-term for the from-wan-rule rule.	Next to Term, click Add new entry. In the Term name box, type wan-src-addr-term.
Define the match condition for wan-src-addr-term.	Next to From, click Configure. Next to Source address, click Add new entry. From the Address list, select Enter Specific Value—>. In the Prefix box, type 192.168.33.0/24. Click OK twice.
Define an action for wan-src-addr-term.	On the Term wan-src-addr-term page, next to Then, click Configure. In the Designation list, select Accept. Click OK twice.	Set the action: set rule from-wan-rule term wan-src-addr-term then accept
Define discard-all-term for from-wan-rule.	On the Rule from-wan-rule page, next to Term, click Add new entry. In the Term name box, type discard-all-term.	Set the term name and the action: set rule from-wan-rule term discard-all-term then discard
Define an action for discard-all-term. The action is taken only if a packet does not match wan-src-addr-term.	Next to Then, click Configure. From the Designation list, select Discard. Click OK three times.
Navigate to the Nat level in the configuration hierarchy.	On the main Configuration page next to Services, click Configure or Edit. Next to Nat, click Configure or Edit.	From the [edit] hierarchy level, enter edit services nat
Define the public-pool address pool name and range.	Next to Pool, click Add new entry. In the Pool name box, type public-pool. From the Address choice list, select Address range. In the High box, type 10.148.2.32. In the Low box, 10.148.2.1.	Set the address pool name and the range: set pool public-pool address-range low 10.148.2.1 high 10.148.2.32
Specify the NAT port pool to be automatically assigned by the router.	Next to Port, click Configure. From the Port choice list, select Automatic. Click OK twice.	Configure the source port translation to be automatic: set pool public-pool port automatic
Define nat-to-wan-rule and private-public-term.	On the Nat page, next to Rule, click Add new entry. In the Rule name box, type nat-to-wan-rule. From the Match direction list, select output. Next to Term, select Add new entry. In the Term name box, type private-public-term. Next to Then, select Configure. Next to Translated, select Configure. In the Source pool box, type public-pool.	Set the rule name, match direction, term name, and the term's pool name: set rule nat-to-wan-rule match-direction output term private-public-term then translated source-pool public-pool
Set the NAT port translation type for private-public-term.	Next to Translation type, select the check box. Select Configure. From the Source list, select dynamic. Click OK five times.	Set the NAT translation type: set rule nat-to-wan-rule match-direction output term private-public-term then translated translation-type source dynamic

Table 99: Applying a Stateful Firewall Filter and NAT to an Interface

Task	J-Web Configuration Editor	CLI Configuration Editor
Navigate to the Services level in the configuration hierarchy.	In the J-Web interface, select Configuration>View and Edit>Edit Configuration. Next to Services, click Configure or Edit.	From the [edit] hierarchy level, enter edit services
Define wan-service-set and assign the stateful firewall filter rule to-wan-rule to the service set.	Next to Service set, click Add new entry. In the Service set name box, type wan-service-set. From the Stateful firewall rules choice list, select Stateful firewall rules. Next to Stateful firewall rules, click Add new entry. In the Rule name box, type to-wan-rule. Click OK.	Define the service set and assign the rule: set service-set wan-service-set stateful-firewall-rules to-wan-rule
Assign the stateful firewall filter rule from-wan-rule to the service set.	Next to Stateful firewall rules, click Add new entry. In the Rule name box, type from-wan-rule. Click OK.	Define the service set and assign the rule: set service-set wan-service-set stateful-firewall-rules from-wan-rule
Assign the NAT rule nat-to-wan-rule to the service set.	From the Nat rules choice list, select Nat rules. Next to Nat rules, click Add new entry. In the Rule name box, type nat-to-wan-rule. Click OK.	Assign the rule to the service set: set service-set wan-service-set nat-rules nat-to-wan-rule
Define the service set type and virtual interface sp–0/0/0 as the service interface for wan-service-set. (See the interface naming conventions in the J-series Services Router Basic LAN and WAN Access Configuration Guide.)	From the Service type choice list, select Interface service. Next to Interface service, click Configure. In the Service interface box, type sp-0/0/0. Click OK.	Define the service set type and the service interface: set service-set wan-service-set interface-service service-interface sp-0/0/0
Configure the sp–0/0/0 service interface.	On the main Configuration page next to Interfaces, click Configure or Edit. Next to Interface, click Add new entry. In the Interface name box, type sp-0/0/0. Next to Unit, click Add new entry. In the Interface unit number box, type 0. Next to Inet, select the check box. Click Configure. Click OK.	From the [edit] hierarchy level, enter set interfaces sp-0/0/0 unit 0 family inet
From the Interfaces level of the configuration hierarchy, navigate to the Inet level of the T1 interface—the untrusted interface in this example—and apply wan-service-set to the input and output sides of the t1–0/0/0 interface. (See the interface naming conventions in the J-series Services Router Basic LAN and WAN Access Configuration Guide.)	On the main Configuration page next to Interfaces, click Edit. Under Interface name, click t1–0/0/0. Under Interface unit number, click 0. Under Family, make sure the Inet check box is selected, and click Configure or Edit. Next to Service, click Configure. Next to Input, click Configure. Next to Service set, click Add new entry. In the Service set name box, type wan-service-set. Click OK. Next to Output, click Configure. Next to Service set, click Add new entry. In the Service set name box, type wan-service-set. Click OK.	From the [edit] hierarchy level, apply the service set to the interface: set interfaces t1-0/0/0 unit 0 family inet service input service-set wan-service-set set interfaces t1-0/0/0 unit 0 family inet service output service-set wan-service-set

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]