Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Applying Lists of Multiple Firewall Filters

This example shows how to apply lists of multiple firewall filters.

Requirements

Before you begin, be sure that you have:

  • Installed your router or switch, and supported PIC, DPC, or MPC and performed the initial router or switch configuration.

  • Configured basic Ethernet in the topology.

  • Configured a logical interface to run the IP version 4 (IPv4) protocol (family inet) and configured the logical interface with an interface address. This example uses logical interface ge-1/3/0.0 configured with the IP address 172.16.1.2/30.

    Note:

    For completeness, the configuration section of this example includes setting an IP address for logical interface ge-1/3/0.0.

  • Verified that traffic is flowing in the topology and that ingress and egress IPv4 traffic is flowing through logical interface ge-1/3/0.0.

  • Verified that you have access to the remote host that is connected to this router’s or switch’s logical interface ge-1/3/0.0.

Note:

Physical interface policers/filters are not supported for list filters.

Overview

In this example, you configure three IPv4 firewall filters and apply each filter directly to the same logical interface by using a list.

Topology

This example applies the following firewall filters as a list of input filters at logical interface ge-1/3/0.0. Each filter contains a single term that evaluates IPv4 packets and accepts packets based on the value of the destination port field in the TCP header:

  • Filter filter_FTP matches on the FTP port number (21).

  • Filter filter_SSH matches on the SSH port number (22).

  • Filter filter_Telnet matches on the Telnet port number (23).

If an inbound packet does not match any of the filters in the input list, the packet is discarded.

Note:

The Junos OS uses filters in a list in the order in which the filter names appear in the list. In this simple example, the order is irrelevant because all of the filters specify the same action.

Any of the filters can be applied to other interfaces, either alone (using the input or output statement) or in combination with other filters (using the input-list or output-list statement). The objective is to configure multiple “minimalist” firewall filters that you can reuse in interface-specific filter lists.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configure Multiple IPv4 Firewall Filters

Step-by-Step Procedure

To configure the IPv4 firewall filters:

  1. Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters.

  2. Configure the first firewall filter to count and accept packets for port 21.

  3. Configure the second firewall filter to count and accept packets for port 22.

  4. Configure the third firewall filter to count and accept packets from port 23.

  5. Configure the last firewall filter to count the discarded packets.

Apply the Filters to a Logical Interface as an Input List and an Output List

Step-by-Step Procedure

To apply the six IPv4 firewall filters as a list of input filters and a list of output filters:

  1. Navigate the CLI to the hierarchy level at which you apply IPv4 firewall filters to logical interface ge-1/3/0.0.

  2. Configure the IPv4 protocol family for the logical interface.

  3. Apply the filters as a list of input filters.

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

To confirm and then commit your candidate configuration:

  1. Confirm the configuration of the firewall filters by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  2. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  3. If you are done configuring the device, commit your candidate configuration.

Verification

Confirm that the configuration is working properly.

Verifying That Inbound Packets Are Accepted Only If Destined for the FTP, SSH or Telnet Port

Purpose

Verify that all three filters are active for the logical interface.

Action

To verify that input packets are accepted according to the three filters:

  1. From the remote host that is connected to this router’s (or switch’s) logical interface ge-1/3/0.0, send a packet with destination port number 21 in the header. The packet should be accepted.

  2. From the remote host that is connected to this router’s (or switch’s) logical interface ge-1/3/0.0, send a packet with destination port number 22 in the header. The packet should be accepted.

  3. From the remote host that is connected to this router’s (or switch’s) logical interface ge-1/3/0.0, send a packet with destination port number 23 in the header. The packet should be accepted.

  4. From the remote host that is connected to this router’s (or switch’s) logical interface ge-1/3/0.0, send a packet with a destination port number other than 21, 22, or 23. The packet should be discarded.

  5. To display counter information for the list of filters applied to the input at ge-1/3/0.0 enter the show firewall filter ge-1/3/0.0-inet-i operational mode command. The command output displays the number of bytes and packets that match filter terms associated with the following counters:

    • pkts_FTP-ge-1/3/0.0-inet-i

    • pkts_SSH-ge-1/3/0.0-inet-i

    • pkts_Telnet-ge-1/3/0.0-inet-i

    • pkts_discard-ge-1/3/0.0-inet-i

Related Documentation