ON THIS PAGE
Access Control Lists (Firewall Filters)
Read this topic to learn about the Layer 3-Layer 4 access control lists (firewall filters) in the cloud-native router.
Juniper Cloud-Native Router Release supports stateless firewall filters. Firewall filters provide a means of protecting the cloud-native router from excessive traffic transiting the router to a network destination or destined for the Routing Engine. A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections. The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.
To influence which packets are allowed to transit the system and to apply special actions to packets as necessary, you can configure a sequence of one or more packet-filtering rules, called filter terms. A filter term specifies match conditions to use to determine a match and actions to take on a matched packet. A stateless firewall filter enables you to manipulate any packet of a particular protocol family, including fragmented packets, based on evaluation of Layer 3 and Layer 4 header fields. Please review the Stateless Firewall Filter Overview topic for more information.
Cloud-Native Router also supports Layer-2 access control lists (firewall filter for bridge family).
In Cloud-Native Router you can apply a stateless firewall filter to an ingress interface only. The
supported interfaces types include a fabric interface, sub-interface, pod interface and an
irb interface.
Cloud-Native Router supports a maximum number of 16 filters per family and 16 terms per filter.
Supported Protocol Families
|
Type of Traffic to be Filtered |
Configuration Statement |
|---|---|
|
Internet Protocol version 4 (IPv4) |
family inet |
|
Internet Protocol version 6 (IPv6) |
family inet6 |
|
MPLS |
family mpls |
- Supported Match Conditions and Actions (IPv4 and IPv6)
- Supported Match Conditions and Actions (MPLS)
Supported Match Conditions and Actions (IPv4 and IPv6)
Cloud-Native Router supports the IPv4 and IPv6 standard firewall filter with the match conditions and actions provided in the table.
|
Match Condition |
Description |
|---|---|
|
destination-address address |
Match the IPv4 destination address field. You can provide a prefix with an optional subnet mask. |
| destination-port number |
Match the UDP or TCP destination port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the following text synonyms
(the port numbers are also listed): |
|
source-address address |
Match the IPv4 address of the source node sending the packet. You can provide a prefix with an optional subnet mask. |
|
source-port number |
Match the UDP or TCP source port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the text synonyms listed with
the |
|
protocol number |
Match the IP protocol type field. In place of the numeric value, you can specify
one of the following text synonyms (the field values are also listed):
|
|
tcp-flags value |
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. If you configure this match condition, we recommend that you also configure the
|
|
icmp-type number |
Match the ICMP message type field. In place of the numeric value, you can specify one of the following text synonyms
(the field values are also listed): |
|
Match Condition |
Description |
|---|---|
|
destination-address address |
Match the IPv6 destination address field. You can provide a prefix with an optional subnet mask. |
| destination-port number |
Match the UDP or TCP destination port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the following text synonyms
(the port numbers are also listed): |
|
source-address address |
Match the IPv6 address of the source node sending the packet. You can provide a prefix with an optional subnet mask. |
|
source-port number |
Match the UDP or TCP source port field. When configuring port based matches you must also configure the In place of the numeric value, you can specify one of the text synonyms listed with
the |
|
tcp-flags value |
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. |
|
icmp-type message-type |
Match the ICMP message type field. In place of the numeric value, you can specify one of the following text synonyms
(the field values are also listed): |
|
Type of Action |
Description |
Supported actions |
|---|---|---|
|
Terminating |
Halts all evaluation of a firewall filter for a specific packet. The router (or switch) performs the specified action, and no additional terms are used to examine the packet. You can specify only one terminating action in a firewall filter term. If
you try to specify more than one terminating action within the filter term
then the latest terminating action will replace the existing terminating
action. You can, however, specify one terminating action with one or more
nonterminating actions in a single term. For example, within a term, you
can specify |
|
|
Nonterminating |
Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet. Note: Cloud-Native Router supports |
Note:
Cloud-Native Router is preconfigured with the following syslog configuration: set system syslog file jcnr-firewall.log any any set system syslog file jcnr-firewall.log match-strings “JCNR-FIREWALL” You must additionally configure syslog as follows: set system syslog file messages_firewall_any match-strings “JCNR-FIREWALL”
|
Supported Match Conditions and Actions (MPLS)
Cloud-Native Router supports the MPLS standard firewall filter with the match conditions and actions provided in the table.
|
Match Condition |
Description |
|---|---|
|
exp number |
Experimental (EXP) bit number or range of bit numbers in the MPLS header of a packet. For number, you can specify one or more values from 0 through 7 in binary, decimal or hexadecimal format, as given below:
|
|
label number |
MPLS label value or range of label values in the MPLS header of a packet. For number, you can specify one or more values from 0 through 1048575 in decimal or hexadecimal format, as given below:
|
|
Type of Action |
Description |
Supported actions |
|---|---|---|
|
Terminating |
Halts all evaluation of a firewall filter for a specific packet. The router (or switch) performs the specified action, and no additional terms are used to examine the packet. You can specify only one terminating action in a firewall filter term. If
you try to specify more than one terminating action within the filter term
then the latest terminating action will replace the existing terminating
action. You can, however, specify one terminating action with one or more
nonterminating actions in a single term. For example, within a term, you
can specify |
|
|
Nonterminating |
Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet. Note: Cloud-Native Router supports |
Note:
Cloud-Native Router is preconfigured with the following syslog configuration: set system syslog file jcnr-firewall.log any any set system syslog file jcnr-firewall.log match-strings “JCNR-FIREWALL” You must additionally configure syslog as follows: set system syslog file messages_firewall_any match-strings “JCNR-FIREWALL” |
Configuration Example
Use the configlet resource to configure the cRPD pods.
You can configure the Cloud-Native Router controller with a stateless firewall filter under the
firewall hierarchy.
Configuration example for IPv4 family is provided below:
firewall {
family inet {
filter temp {
term a {
from {
source-address {
10.0.0.1/32;
}
destination-address {
10.0.0.2/32;
}
protocol icmp;
icmp-type echo-request;
source-port http;
destination-port bgp;
tcp-flags fin;
}
then {
count c1;
accept;
}
}
}
}
}
Configuration example for IPv6 family is provided below:
firewall {
family inet6 {
filter temp6 {
term a {
from {
source-address {
2001:db8::1/128;
}
destination-address {
2001:db8::1/128;
}
icmp-type echo-request;
source-port http;
destination-port bgp;
tcp-flags fin;
}
then {
count c1;
discard;
}
}
}
}
}
Configuration example for MPLS family is provided below:
firewall {
family mpls {
filter temp_mpls {
term t1 {
from {
exp 2-5;
label 1234-4321;
}
then {
accept;
count c1;
log;
syslog;
}
}
}
}
}
The filter will be applied to the ingress interface. The supported interfaces include a
fabric interface, sub-interface, pod interface and an irb interface. The
filter can be applied only on input for an interface:
user@host > show interfaces enp4s0
unit 0 {
family inet {
filter {
input temp;
}
address 10.0.0.1/24;
}
family inet6 {
filter {
input temp6;
}
}
} Troubleshooting
Cloud-Native Router Controller Commands
Display all firewall filters for family inet (IPv4)
user@host> show firewall family inet Filter: temp Counters: Name Bytes Packets c1 0 0 c2 1532909 22500 Filter: temp 2 Counters: Name Bytes Packets c3 0 0 c4 100 100
Display a specific firewall filter for family inet
user@host> show firewall family inet filter temp Filter: temp Counters: Name Bytes Packets c1 0 0 c2 1532909 22500
Display a specific counter for a firewall filter for family inet
user@host> show firewall family inet filter temp counter c2 Filter: temp Counters: Name Bytes Packets c2 1532909 22500
Display all firewall filters for family inet6 (IPv6)
user@host> show firewall family inet6 Filter: temp6 Counters: Name Bytes Packets c1 0 0 c2 1532909 22500 Filter: temp6_2 Counters: Name Bytes Packets c3 0 0 c4 100 100
Display all firewall filters for family mpls
user@host> show firewall family mpls Filter: temp_mpls Counters: Name Bytes Packets c1 0 0 c2 1532909 22500
Display a specific firewall filter for family mpls
user@host> show firewall family mpls filter temp_mpls Filter: temp_mpls Counters: Name Bytes Packets c1 0 0 c2 1532909 22500
Clear the counter statistics:
clear firewall family name >> clear all counter statistics for inet, inet6 or mpls family clear firewall family name filter name >> clear all counter statistics for a specific filter for inet, inet6 or mpls family clear firewall family name filter name count counter-name >> clear statistics for a specific counter for a specific filter for inet, inet6, mpls family
View the firewall logs:
user@host> show firewall log [JCNR-FIREWALL]: Mar 20 08:08:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets) [JCNR-FIREWALL]: Mar 20 08:18:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets) [JCNR-FIREWALL]: Mar 20 08:28:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets) [JCNR-FIREWALL]: Mar 20 08:38:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets)
View syslog messages:
user@host> show log messages_firewall_any [JCNR-FIREWALL]: Mar 20 08:08:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets) [JCNR-FIREWALL]: Mar 20 08:18:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets) [JCNR-FIREWALL]: Mar 20 08:28:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets) [JCNR-FIREWALL]: Mar 20 08:38:45 hostname feb FW: ge-1/1/0.0 A icmp 192.168.207.222 192.168.207.223 0 0 (1 packets)
vRouter Commands
bash-5.1# acl --family inet --filter f4 --term t4 ======================================= Filter: f4 ======================================= Term: t4 ----- Priority: 268420555 Dest IP: 10.0.0.1/32 Src IP: 10.0.0.2/32 Dst ports: [179 - 179] Src ports: [179 - 179] Action: accept (n/a)
bash-5.1# acl --list-filters --family mpls ======================================= Filter: temp_mpls ======================================= Term: t1 ----- Priority: 256 Label: [2345 – 4092] Exp: [3 – 5] Action: discard (n/a) =======================================
bash-5.1# acl --list-actions [1] inet filter "temp_mpls": Counter "c1" Rx Packets: 2 [2] inet filter "temp_mpls": Counter "c2" Rx Packets: 1
Additional acl commands include the following:
acl --list-filters --family <inet/inet6/mpls> >>Lists the full acl table acl --list-actions >>Shows the acl entry corresponding to filter name and term name acl --family <inet/inet6/mpls> --filter <name> [--list-terms] >>Shows the ACL term list acl --family <inet/inet6/mpls> --filter <name> [--term <name>] >>Shows the ACL term details acl --family <inet/inet6/mpls> --filter <name> [--action <name>] >>Shows the ACL action details acl --family <inet/inet6/mpls> --filter <name> [--action <name>] --clear >>Clears the ACL action details acl --help >>Prints the help messages
You can view the filter associated with an interface using the vif --get
command:
bash-5.1# vif --get 5
Vrouter Interface Table
Flags: P=Policy, X=Cross Connect, S=Service Chain, Mr=Receive Mirror
Mt=Transmit Mirror, Tc=Transmit Checksum Offload, L3=Layer 3, L2=Layer 2
D=DHCP, Vp=Vhost Physical, Pr=Promiscuous, Vnt=Native Vlan Tagged
Mnp=No MAC Proxy, Dpdk=DPDK PMD Interface, Rfl=Receive Filtering Offload, Mon=Interface is Monitored
Uuf=Unknown Unicast Flood, Vof=VLAN insert/strip offload, Df=Drop New Flows, L=MAC Learning Enabled
Proxy=MAC Requests Proxied Always, Er=Etree Root, Mn=Mirror without Vlan Tag, HbsL=HBS Left Intf
HbsR=HBS Right Intf, Ig=Igmp Trap Enabled, Ml=MAC-IP Learning Enabled, Me=Multicast Enabled
vif0/5 PCI: 0000:07:00.0 NH: 10 MTU: 9000
Type:Physical HWaddr:02:8b:65:44:27:bd IPaddr:0.0.0.0
DDP: OFF SwLB: ON
Vrf:0 Mcast Vrf:0 Flags:L3L2Vof QOS:0 Ref:9
RX device packets:8807 bytes:374638 errors:0
RX port packets:8806 errors:0
RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Fabric Interface: 0000:07:00.0 Status: UP Driver: 0000:07:00.0
RX packets:8806 bytes:374596 errors:0
TX packets:2 bytes:240 errors:0
Drops:0
TX queue packets:2 errors:0
TX port packets:2 errors:0
TX device packets:8 bytes:912 errors:0
inet acl f1
inet6 acl f1v6bash-5.1# vif --get 1
Vrouter Interface Table
Flags: P=Policy, X=Cross Connect, S=Service Chain, Mr=Receive Mirror
Mt=Transmit Mirror, Tc=Transmit Checksum Offload, L3=Layer 3, L2=Layer 2
D=DHCP, Vp=Vhost Physical, Pr=Promiscuous, Vnt=Native Vlan Tagged
Mnp=No MAC Proxy, Dpdk=DPDK PMD Interface, Rfl=Receive Filtering Offload, Mon=Interface is Monitored
Uuf=Unknown Unicast Flood, Vof=VLAN insert/strip offload, Df=Drop New Flows, L=MAC Learning Enabled
Proxy=MAC Requests Proxied Always, Er=Etree Root, Mn=Mirror without Vlan Tag, HbsL=HBS Left Intf
HbsR=HBS Right Intf, Ig=Igmp Trap Enabled, Ml=MAC-IP Learning Enabled, Me=Multicast Enabled
vif0/1 PCI: 0000:03:00.0 NH: 6 MTU: 9000
Type:Physical HWaddr:02:d7:e7:8c:dc:0b IPaddr:0.0.0.0
DDP: OFF SwLB: ON
Vrf:0 Mcast Vrf:0 Flags:L3Vof Ref:9
RX device packets:292 bytes:16204 errors:0
RX port packets:37 errors:0
RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Fabric Interface: 0000:03:00.0 Status: UP Driver: net_virtio
RX packets:37 bytes:1582 errors:0
TX packets:0 bytes:0 errors:0
Drops:0
TX device packets:7 bytes:786 errors:0
mpls acl testAclFabricWithMplsExp