Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Access Control Lists (Firewall Filters)

SUMMARY Read this topic to learn about the Layer 3-Layer 4 access control lists (firewall filters) in the cloud-native router.

Juniper Cloud-Native Router Release supports stateless firewall filters. Firewall filters provide a means of protecting the cloud-native router from excessive traffic transiting the router to a network destination or destined for the Routing Engine. A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections. The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.

To influence which packets are allowed to transit the system and to apply special actions to packets as necessary, you can configure a sequence of one or more packet-filtering rules, called filter terms. A filter term specifies match conditions to use to determine a match and actions to take on a matched packet. A stateless firewall filter enables you to manipulate any packet of a particular protocol family, including fragmented packets, based on evaluation of Layer 3 and Layer 4 header fields. Please review the Stateless Firewall Filter Overview topic for more information.

Note:

In JCNR you can apply a stateless firewall filter to an ingress interface only. The supported interfaces types include a fabric interface, sub-interface, pod interface and an irb interface.

Note:

JCNR supports a maximum number of 16 filters per family and 16 terms per filter.

JCNR supports the IPv4 and IPv6 standard firewall filter with the match conditions and actions provided in the table. JCNR also supports Layer-2 access control lists (firewall filter for bridge family).

Table 1: Firewall Filter Match Conditions for IPv4 Traffic

Match Condition

Description

destination-address address

Match the IPv4 destination address field. You can provide a prefix with an optional subnet mask.

destination-port number

Match the UDP or TCP destination port field.

When configuring port based matches you must also configure the protocol udp or protocol tcp match statement in the same filter term. Matching only on the port value can result in unexpected matches.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

source-address address

Match the IPv4 address of the source node sending the packet. You can provide a prefix with an optional subnet mask.

source-port number

Match the UDP or TCP source port field.

When configuring port based matches you must also configure the protocol udp or protocol tcp match statement in the same filter term. Matching only on the port value can result in unexpected matches.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

protocol number

Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

tcp-flags value

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

If you configure this match condition, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port.

icmp-type number

Match the ICMP message type field.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

Table 2: Firewall Filter Match Conditions for IPv6 Traffic

Match Condition

Description

destination-address address

Match the IPv6 destination address field. You can provide a prefix with an optional subnet mask.

destination-port number

Match the UDP or TCP destination port field.

When configuring port based matches you must also configure the protocol udp or protocol tcp match statement in the same filter term. Matching only on the port value can result in unexpected matches.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

source-address address

Match the IPv6 address of the source node sending the packet. You can provide a prefix with an optional subnet mask.

source-port number

Match the UDP or TCP source port field.

When configuring port based matches you must also configure the protocol udp or protocol tcp match statement in the same filter term. Matching only on the port value can result in unexpected matches.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

tcp-flags value

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

icmp-type message-type

Match the ICMP message type field.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): certificate-path-advertisement (149), certificate-path-solicitation (148), destination-unreachable (1), echo-reply (129), echo-request (128), home-agent-address-discovery-reply (145), home-agent-address-discovery-request (144), inverse-neighbor-discovery-advertisement (142), inverse-neighbor-discovery-solicitation (141), membership-query (130), membership-report (131), membership-termination (132), mobile-prefix-advertisement-reply (147), mobile-prefix-solicitation (146), neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140), node-information-request (139), packet-too-big (2), parameter-problem (4), private-experimentation-100 (100), private-experimentation-101 (101), private-experimentation-200 (200), private-experimentation-201 (201), redirect (137), router-advertisement (134), router-renumbering (138), router-solicit (133), or time-exceeded (3).

Table 3: Firewall Filter Actions

Type of Action

Description

Supported actions

Terminating

Halts all evaluation of a firewall filter for a specific packet. The router (or switch) performs the specified action, and no additional terms are used to examine the packet.

You can specify only one terminating action in a firewall filter term. If you try to specify more than one terminating action within the filter term then the latest terminating action will replace the existing terminating action. You can, however, specify one terminating action with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog. Regardless of the number of terms that contain terminating actions, once the system processes a terminating action within a term, processing of the entire firewall filter halts.

accept —Accept the packet

discard —Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.

Nonterminating

Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet.

Note: JCNR supports count as a nonterminating action only when added along with a terminating action.

count counter-name

Configuration Example

Note:

Use the configlet resource to configure the cRPD pods.

You can configure the JCNR controller with a stateless firewall filter under the firewall hierarchy. A configuration example for IPv4 family is provided below:

A configuration example for IPv6 family is provided below:

The filter will be applied to the ingress interface. The supported interfaces include a fabric interface, sub-interface, pod interface and an irb interface. The filter can be applied only on input for an interface:

Troubleshooting

JCNR Controller Commands

The following commands may be used on the JCNR controller to view firewall information:

Display all firewall filters for family inet (IPv4)

Display a specific firewall filter for family inet

Display a specific counter for a firewall filter for family inet

Display all firewall filters for family inet6 (IPv6)

You can use the following commands to clear the counter statistics:

vRouter Commands

The following commands may be used on the vRouter to view the firewall configuration:

Additional acl commands include the following:

You can view the filter associated with an interface using the vif --get command: