ON THIS PAGE
Access Control Lists (Firewall Filters)
SUMMARY Read this topic to learn about the Layer 3-Layer 4 access control lists (firewall filters) in the cloud-native router.
Juniper Cloud-Native Router Release supports stateless firewall filters. Firewall filters provide a means of protecting the cloud-native router from excessive traffic transiting the router to a network destination or destined for the Routing Engine. A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections. The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.
To influence which packets are allowed to transit the system and to apply special actions to packets as necessary, you can configure a sequence of one or more packet-filtering rules, called filter terms. A filter term specifies match conditions to use to determine a match and actions to take on a matched packet. A stateless firewall filter enables you to manipulate any packet of a particular protocol family, including fragmented packets, based on evaluation of Layer 3 and Layer 4 header fields. Please review the Stateless Firewall Filter Overview topic for more information.
In JCNR you can apply a stateless firewall filter to an ingress interface only. The
supported interfaces types include a fabric interface, sub-interface, pod interface and an
irb
interface.
JCNR supports a maximum number of 16 filters per family and 16 terms per filter.
JCNR supports the IPv4 and IPv6 standard firewall filter with the match conditions and actions provided in the table. JCNR also supports Layer-2 access control lists (firewall filter for bridge family).
Match Condition |
Description |
---|---|
destination-address address |
Match the IPv4 destination address field. You can provide a prefix with an optional subnet mask. |
destination-port number |
Match the UDP or TCP destination port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the following text synonyms
(the port numbers are also listed): |
source-address address |
Match the IPv4 address of the source node sending the packet. You can provide a prefix with an optional subnet mask. |
source-port number |
Match the UDP or TCP source port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the text synonyms listed with
the |
protocol number |
Match the IP protocol type field. In place of the numeric value, you can specify
one of the following text synonyms (the field values are also listed):
|
tcp-flags value |
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. If you configure this match condition, we recommend that you also configure the
|
icmp-type number |
Match the ICMP message type field. In place of the numeric value, you can specify one of the following text synonyms
(the field values are also listed): |
Match Condition |
Description |
---|---|
destination-address address |
Match the IPv6 destination address field. You can provide a prefix with an optional subnet mask. |
destination-port number |
Match the UDP or TCP destination port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the following text synonyms
(the port numbers are also listed): |
source-address address |
Match the IPv6 address of the source node sending the packet. You can provide a prefix with an optional subnet mask. |
source-port number |
Match the UDP or TCP source port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the text synonyms listed with
the |
tcp-flags value |
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. |
icmp-type message-type |
Match the ICMP message type field. In place of the numeric value, you can specify one of the following text synonyms
(the field values are also listed): |
Type of Action |
Description |
Supported actions |
---|---|---|
Terminating |
Halts all evaluation of a firewall filter for a specific packet. The router (or switch) performs the specified action, and no additional terms are used to examine the packet. You can specify only one terminating action in a firewall filter term. If
you try to specify more than one terminating action within the filter term
then the latest terminating action will replace the existing terminating
action. You can, however, specify one terminating action with one or more
nonterminating actions in a single term. For example, within a term, you
can specify |
|
Nonterminating |
Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet. Note: JCNR supports |
count counter-name |
Configuration Example
Use the configlet resource to configure the cRPD pods.
You can configure the JCNR controller with a stateless firewall filter under the
firewall
hierarchy. A configuration example for IPv4 family is provided
below:
firewall { family inet { filter temp { term a { from { source-address { 10.0.0.1/32; } destination-address { 10.0.0.2/32; } protocol icmp; icmp-type echo-request; source-port http; destination-port bgp; tcp-flags fin; } then { count c1; accept; } } } } }
A configuration example for IPv6 family is provided below:
firewall { family inet6 { filter temp6 { term a { from { source-address { 2001:db8::1/128; } destination-address { 2001:db8::1/128; } icmp-type echo-request; source-port http; destination-port bgp; tcp-flags fin; } then { count c1; discard; } } } } }
The filter will be applied to the ingress interface. The supported interfaces include a
fabric interface, sub-interface, pod interface and an irb
interface. The
filter can be applied only on input for an interface:
user@host > show interfaces enp4s0 unit 0 { family inet { filter { input temp; } address 10.0.0.1/24; } family inet6 { filter { input temp6; } } }
Troubleshooting
JCNR Controller Commands
Display all firewall filters for family inet (IPv4)
user@host> show firewall family inet Filter: temp Counters: Name Bytes Packets c1 0 0 c2 1532909 22500 Filter: temp 2 Counters: Name Bytes Packets c3 0 0 c4 100 100
Display a specific firewall filter for family inet
user@host> show firewall family inet filter temp Filter: temp Counters: Name Bytes Packets c1 0 0 c2 1532909 22500
Display a specific counter for a firewall filter for family inet
user@host> show firewall family inet filter temp counter c2 Filter: temp Counters: Name Bytes Packets c2 1532909 22500
Display all firewall filters for family inet6 (IPv6)
user@host> show firewall family inet6 Filter: temp6 Counters: Name Bytes Packets c1 0 0 c2 1532909 22500 Filter: temp6_2 Counters: Name Bytes Packets c3 0 0 c4 100 100
You can use the following commands to clear the counter statistics:
clear firewall family name >> clear all counter statistics for a family clear firewall family name filter name >> clear all counter statistics for a specific filter for a family clear firewall family name filter name count counter-name >> clear statistics for a specific counter for a specific filter for a family
vRouter Commands
bash-5.1# acl --family inet --filter f4 --term t4 ======================================= Filter: f4 ======================================= Term: t4 ----- Priority: 268420555 Dest IP: 10.0.0.1/32 Src IP: 10.0.0.2/32 Dst ports: [179 - 179] Src ports: [179 - 179] Action: accept (n/a)
bash-5.1# acl --list-actions [1] inet filter "f1": Counter "c1" Rx Packets: 2 [2] inet filter "f1": Counter "c2" Rx Packets: 1
Additional acl
commands include the following:
acl --list-filters --family <inet/inet6/mpls> >>Lists the full acl table acl --list-actions >>Shows the acl entry corresponding to filter name and term name acl --family <inet/inet6/mpls> --filter <name> [--list-terms] >>Shows the ACL term list acl --family <inet/inet6/mpls> --filter <name> [--term <name>] >>Shows the ACL term details acl --family <inet/inet6/mpls> --filter <name> [--action <name>] >>Shows the ACL action details acl --family <inet/inet6/mpls> --filter <name> [--action <name>] --clear >>Clears the ACL action details acl --help >>Prints the help messages
You can view the filter associated with an interface using the vif --get
command:
bash-5.1# vif --get 5 Vrouter Interface Table Flags: P=Policy, X=Cross Connect, S=Service Chain, Mr=Receive Mirror Mt=Transmit Mirror, Tc=Transmit Checksum Offload, L3=Layer 3, L2=Layer 2 D=DHCP, Vp=Vhost Physical, Pr=Promiscuous, Vnt=Native Vlan Tagged Mnp=No MAC Proxy, Dpdk=DPDK PMD Interface, Rfl=Receive Filtering Offload, Mon=Interface is Monitored Uuf=Unknown Unicast Flood, Vof=VLAN insert/strip offload, Df=Drop New Flows, L=MAC Learning Enabled Proxy=MAC Requests Proxied Always, Er=Etree Root, Mn=Mirror without Vlan Tag, HbsL=HBS Left Intf HbsR=HBS Right Intf, Ig=Igmp Trap Enabled, Ml=MAC-IP Learning Enabled, Me=Multicast Enabled vif0/5 PCI: 0000:07:00.0 NH: 10 MTU: 9000 Type:Physical HWaddr:02:8b:65:44:27:bd IPaddr:0.0.0.0 DDP: OFF SwLB: ON Vrf:0 Mcast Vrf:0 Flags:L3L2Vof QOS:0 Ref:9 RX device packets:8807 bytes:374638 errors:0 RX port packets:8806 errors:0 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Fabric Interface: 0000:07:00.0 Status: UP Driver: 0000:07:00.0 RX packets:8806 bytes:374596 errors:0 TX packets:2 bytes:240 errors:0 Drops:0 TX queue packets:2 errors:0 TX port packets:2 errors:0 TX device packets:8 bytes:912 errors:0 inet acl f1 inet6 acl f1v6