[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Displaying Stateless Firewall Filter Configurations

Purpose

Verify the configuration of the firewall filter. You can analyze the flow of the filter terms by displaying the entire configuration.

Action

From the J-Web interface, select Configuration>View and Edit>View Configuration Text. Alternatively, from configuration mode in the CLI, enter the show firewall command.

The sample output in this section displays the following firewall filters (in order):

Stateless protect-RE filter configured in Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources
Stateless protect-RE filter configured in Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods
Stateless fragment-RE filter configured in Configuring a Routing Engine Firewall Filter to Handle Fragments



[edit]
user@host# show firewall

firewall {


family inet {


filter protect-RE {


term ssh-term {


from {


source-address {
192.168.122.0/24;
}


protocol tcp;
destination-port ssh;
}


then accept;
}




term bgp-term {


from {


source-address {
10.2.1.0/24;
}


protocol tcp;
destination-port bgp;
}


then accept;
}




term discard-rest-term {


then {
log;
syslog;
discard;
}


}


}


}


}



 

[edit]
user@host# show firewall

firewall {


policer tcp-connection-policer {
filter-specific;


if-exceeding {
bandwidth-limit 500k;
burst-size-limit 15k;
}


then discard;
}




policer icmp-policer {
filter-specific;


if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}


then discard;
}




family inet {


filter protect-RE {


term tcp-connection-term {


from {


source-prefix-list {
trusted-addresses;
}


protocol tcp;
tcp-flags “(syn & !ack) | fin | rst”;
}




then {
policer tcp-connection-policer;
accept;
}


}




term icmp-term {


from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];
}




then {
policer icmp-policer;
count icmp-counter;
accept;
}


}



additional terms...
}


}


}



 

[edit]
user@host# show firewall

firewall {


family inet {


filter fragment-RE {


term small-offset-term {


from {
fragment-offset 1-5;
}




then {
syslog;
discard;
}


}




term not-fragmented-term {


from {


source-address {
10.2.1.0/24;
}


fragment-offset 0;
fragment-flags 0x0;
protocol tcp;
destination-port bgp;
}


then accept;
}




term first-fragment-term {


from {


source-address {
10.2.1.0/24;
}


first-fragment;
protocol tcp;
destination-port bgp;
}


then accept;
}




term fragment-term {


from {
fragment-offset 6-8191;
}


then accept;
}



additional terms ...

}


}


}

What it Means

Verify that the output shows the intended configuration of the firewall filter.

Verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Displaying Stateless Firewall Filter Configurations

Purpose

Action

What it Means

Related Topics