ON THIS PAGE
Example: Using Firewall Filter Chains
This example shows the use of firewall filter chains. Firewall filters
filter1, filter2, and filter3, are applied to interface ge-0/1/1.0 using the input-chain
and the output-chain
configuration statements.
Requirements
Before you begin:
-
You should have a MX Series router with MPCs and running Junos release 18.4R1 or later.
If you are using PTX10001-36MR, PTX10004, PTX10008, or PTX10016 routers for this feature, install Junos OS Evolved Release 21.4R1.
The router should be configured for IP version 4 (IPv4) protocol (
family inet
) and configured the logical interface with an interface address. All other initial router configurations should be complete, with basic IPv4 connectivity between the devices confirmed.The traffic you send should be compatible with the firewall filter rules so the rules you configure can match the test traffic you send.
Overview
This examples shows how to chain multiple firewall filters for both ingress and egress so they can be applied to a given interface and evaluated in sequence. The order of execution occurs in the same order as the chain, from left to right.
Using filter chains (as opposed to input-list filter) has the advantage of allowing multiple levels of filtering, such as using an initial filter to perform generic classification (such as QoS), and then one or more subsequent filters for additional refinement (such as security) .
An input-list stops processing of packets upon accept or discard; subsequent firewall filters are not evaluated, whereas in a firewall filter chain an accept or discard action stops processing of the current firewall filter, but the packet is presented to subsequent firewall filters in the firewall filter chain, if any.
Starting from Junos OS Evolved Release 21.4R1, you can use firewall filter chains on PTX10001-36MR, PTX10004, PTX10008, and PTX10016 routers.
You can apply the filter chain as follows:
set interfaces interface-name unit unit
family inet filter input-chain [filter1 filter2
filter3];
set interfaces interface-name unit unit
family inet filter output-chain [filter1 filter2
filter3];
On PTX Evo platforms, the feature has the following limitations:
-
You can configure only the first filter in a chain of filters as interface specific. On MX Series routers, you can configure all filters in a chain of filters as interface specific.
-
You cannot configure the same filters as part of a regular CLI filter and chain filters on the same interface specific bind point. On such interface specific bind points, replace the existing CLI filter with filter chains or vice-versa and commit them separately, to avoid an error.
-
You cannot configure chain filters along with “family ANY” and interface-policers on the same bind point.
-
On loopback interfaces, output chain filters are not supported.
-
On loopback interfaces, you cannot configure both input CLI regular filter and chain filters.
-
For IRB interfaces, you cannot configure both regular CLI interface-specific filter and filter chains.
-
For Layer 2 SP style output, you cannot configure both regular CLI interface specific filter and chain filters.
-
Filters such as
fast-lookup-filter
are not supported as part of CLI chain filters. -
CLI filters chains are not supported for Urpf-fail-filters.
-
As egress filters for MPLS family are supported as
fast-lookup-filter
only and chain filters do not support fast-lookup-filters, relevant commit check will be provided while configuring the family MPLS egress chain filters.
Topology
In this example, you configure multiple firewall filters and then apply them in
sequence by chaining them to a given interface. This example uses
ge-0/1/1.0
configured with the IP address 172.16.1.1/30 for
both the input and output chain. If a packet does not match any of the filters
in the chain list, the packet is dropped.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
- CLI Quick Configuration
- Configure IPv4 Firewall Filters
- Apply the Chain of Input Filters
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands into a text file,
remove any line breaks, and then paste the commands into the CLI at the [edit]
hierarchy
level. The filter names used here are filter1, and so on, while the term names
are t1_f1 (term1, using filter1), and so on.
set firewall family inet filter filter1 term t1_f1 from protocol tcp set firewall family inet filter filter1 term t1_f1 then count f1_t1_cnt set firewall family inet filter filter1 term t2_f1 from precedence 7 set firewall family inet filter filter1 term t2_f1 then count f1_t2_cnt set firewall family inet filter filter1 term t2_f1 then accept set firewall family inet filter filter2 term t1_f2 from dscp 0 set firewall family inet filter filter2 term t1_f2 then count f2_t1_cnt set firewall family inet filter filter2 term t2_f2 from source-port 1020 set firewall family inet filter filter2 term t2_f2 then count f2_t2_cnt set firewall family inet filter filter2 term t2_f2 then accept set firewall family inet filter filter3 term t1_f3 from destination-address 172.30.1.1/32 set firewall family inet filter filter3 term t1_f3 then count f3_t1_cnt set firewall family inet filter filter3 term t2_f3 from destination-port 5454 set firewall family inet filter filter3 term t2_f3 then count f3_t2_cnt set firewall family inet filter filter3 term t2_f3 then accept set interfaces ge-0/1/1 unit 0 family inet address 172.16.1.1/30 set interfaces ge-0/1/1 unit 0 family inet filter input-chain [ filter1 filter2 filter3 ] set interfaces ge-0/1/1 unit 0 family inet filter output-chain [ filter1 filter2 filter3 ]
Configure IPv4 Firewall Filters
Here we configure the firewall filters. Each has different match conditions and count actions. The first two filters have multiple terms with the non-terminating action of count, which means matching packets will be passed on to the next filter in the chain, while the third has an action of accept. Packets that don't match any of the specified conditions would be dropped.
Step-by-Step Procedure
To configure the firewall filters:
Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters.
[edit] user@host# edit firewall family inet
Configure the first firewall filter to count TCP packets, or packets with a precedence of 7, before sending them on to the next filter in the chain.
[edit firewall family inet] user@host# set filter filter1 term t1_f1 from protocol tcp user@host# set filter filter1 term t1_f1 then count f1_t1_cnt user@host# set filter filter1 term t2_f1 from precedence 7 user@host# set filter filter1 term t2_f1 then count f1_t2_cnt user@host# set filter filter1 term t2_f1 then accept
Configure the second firewall filter to count DSCP packets, or packets with a source port of 1020, before sending them on to the next filter in the chain.
[edit firewall family inet] user@host# set filter filter2 term t1_f2 from dscp 0 user@host# set filter filter2 term t1_f2 then count f2_t1_cnt user@host# set filter filter2 term t2_f2 from source-port 1020 user@host# set filter filter2 term t2_f2 then count f2_t2_cnt user@host# set filter filter2 term t2_f2 then accept
Configure the last firewall filter to count and accept packets with a destination address of 172.30.1.1/32, or a destination port of 5454.
[edit firewall family inet] user@host# set filter filter3 term t1_f3 from destination-address 172.30.1.1/32 user@host# set filter filter3 term t1_f3 then count f3_t1_cnt user@host# set filter filter3 term t2_f3 from destination-port 5454 user@host# set filter filter3 term t2_f3 then count f3_t2_cnt user@host# set filter filter3 term t2_f3 then accept
Apply the Chain of Input Filters
Here we attach the firewall filters to a given interface. The order of execution occurs in the same order as the chain, from left to right.
Step-by-Step Procedure
To assign the interface an IP address:
Navigate to the interface we are using for the filters,
ge-0/1/1.0
.[edit] user@host# edit interfaces ge-0/1/1 unit 0 family inet
Assign an IPv4 address to the logical interface.
[edit interfaces ge-0/1/1 unit 0 family inet] user@host# set address 172.16.1.1/30
Apply the filters as a list of input filters.
[edit interfaces ge-0/1/1 unit 0 family inet] user@host# set filter input-chain [ filter1 filter2 filter3 ] user@host# set filter out-chain [ filter1 filter2 filter3 ]
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the firewall filters by entering the
show firewall
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit firewall] user@host# show family inet { } filter filter1 { term t1_f1 { from { protocol tcp; } then count f1_t1_cnt; accept; } term t2_f1 { from { precedence 7; } then count f1_t2_cnt; accept; } } filter filter2 { term t1_f2 { from { dscp 0; } then count f2_t1_cnt; } term t2_f2 { from { source-port 1020; } then count f2_t2_cnt; } } filter filter3 { term t1_f3 { from { destination-address { 172.30.1.1/32; } } then { count f3_t1_cnt; } } term t2_f3 { from { destination-port 5454; } then { count f3_t2_cnt; accept; } } } } }
Confirm the configuration of the interface by entering the
show interfaces
configuration mode command.[edit] user@host# show interfaces ge-0/1/1 { unit 0 { family inet { filter { input-chain [ filter1 filter2 filter3 ]; } address 172.16.1.1/30; } } }
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
Confirm that the configuration works as expected, that is, that the matching traffic is evaluated by each of the filters filter1, filter2, and filter3, and that the expected action (count or accept) has been taken.
Send Traffic Through the Firewall Filters
Purpose
Send traffic from one device to the router you have configured to see whether matching packets are being evaluated by all relevant filters in the chain.
Action
To verify that input packets are evaluated by filter1, filter2, and filter3:
From the remote host that is connected to
ge-0/1/1.0
, send a packet with a precedence of 7. The packet should be counted and then evaluated by filter2.From the remote host that is connected to
ge-0/1/1.0
, send a packet with DSCP value of 0. The packet should be counted and then evaluated by filter3.From the remote host that is connected to
ge-0/1/1.0
, send a packet with a destination address of 172.30.1.1/32 and a destination port number of 5454. The packet should be counted and then accepted.To display counter information for the filters you configured, enter the
show firewall filter filter-name
operational mode command. The command output displays the number of bytes and packets that match filter terms associated with the counters.