ON THIS PAGE
Example: Applying Lists of Multiple Firewall Filters
This example shows how to apply lists of multiple firewall filters.
Requirements
Before you begin, be sure that you have:
-
Installed your router or switch, and supported PIC, DPC, or MPC and performed the initial router or switch configuration.
-
Configured basic Ethernet in the topology.
-
Configured a logical interface to run the IP version 4 (IPv4) protocol (
family inet
) and configured the logical interface with an interface address. This example uses logical interfacege-1/3/0.0
configured with the IP address 172.16.1.2/30.Note:For completeness, the configuration section of this example includes setting an IP address for logical interface
ge-1/3/0.0
. -
Verified that traffic is flowing in the topology and that ingress and egress IPv4 traffic is flowing through logical interface
ge-1/3/0.0
. -
Verified that you have access to the remote host that is connected to this router’s or switch’s logical interface
ge-1/3/0.0
.
Physical interface policers/filters are not supported for list filters.
Overview
In this example, you configure three IPv4 firewall filters and apply each filter directly to the same logical interface by using a list.
Topology
This example applies the following firewall filters as a list of input filters at logical interface ge-1/3/0.0
.
Each filter contains a single term that evaluates IPv4 packets and accepts packets based on the value of the destination port
field in the TCP
header:
Filter
filter_FTP
matches on the FTP port number (21
).Filter
filter_SSH
matches on the SSH port number (22
).Filter
filter_Telnet
matches on the Telnet port number (23
).
If an inbound packet does not match any of the filters in the input list, the packet is discarded.
The Junos OS uses filters in a list in the order in which the filter names appear in the list. In this simple example, the order is irrelevant because all of the filters specify the same action.
Any of the filters can be applied to other interfaces, either alone (using the input
or output
statement) or in combination with
other filters (using the input-list
or output-list
statement). The objective is to configure multiple “minimalist” firewall
filters that you can reuse in interface-specific filter lists.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
- CLI Quick Configuration
- Configure Multiple IPv4 Firewall Filters
- Apply the Filters to a Logical Interface as an Input List and an Output List
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the
CLI at the [edit]
hierarchy level.
set firewall family inet filter filter_FTP term 0 from protocol tcp set firewall family inet filter filter_FTP term 0 from destination-port 21 set firewall family inet filter filter_FTP term 0 then count pkts_FTP set firewall family inet filter filter_FTP term 0 then accept set firewall family inet filter filter_SSH term 0 from protocol tcp set firewall family inet filter filter_SSH term 0 from destination-port 22 set firewall family inet filter filter_SSH term 0 then count pkts_SSH set firewall family inet filter filter_SSH term 0 then accept set firewall family inet filter filter_Telnet term 0 from protocol tcp set firewall family inet filter filter_Telnet term 0 from destination-port 23 set firewall family inet filter filter_Telnet term 0 then count pkts_Telnet set firewall family inet filter filter_Telnet term 0 then accept set firewall family inet filter filter_discard term 1 then count pkts_discarded set firewall family inet filter filter_discard term 1 then discard set interfaces ge-1/3/0 unit 0 family inet address 172.16.1.2/30 set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_FTP set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_SSH set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_Telnet set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_discard
Configure Multiple IPv4 Firewall Filters
Step-by-Step Procedure
To configure the IPv4 firewall filters:
Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters.
[edit] user@host# edit firewall family inet
Configure the first firewall filter to count and accept packets for port 21.
[edit firewall family inet] user@host# set filter filter_FTP term 0 from protocol tcp user@host# set filter filter_FTP term 0 from destination-port 21 user@host# set filter filter_FTP term 0 then count pkts_FTP user@host# set filter filter_FTP term 0 then accept
Configure the second firewall filter to count and accept packets for port 22.
[edit firewall family inet] user@host# set filter filter_SSH term 0 from protocol tcp user@host# set filter filter_SSH term 0 from destination-port 22 user@host# set filter filter_SSH term 0 then count pkt_SSH user@host# set filter filter_SSH term 0 then accept
Configure the third firewall filter to count and accept packets from port 23.
[edit firewall family inet] user@host# set filter filter_Telnet term 0 from protocol tcp user@host# set filter filter_Telnet term 0 from destination-port 23 user@host# set filter filter_Telnet term 0 then count pkts_Telnet user@host# set filter filter_Telnet term 0 then accept
Configure the last firewall filter to count the discarded packets.
[edit firewall family inet] user@host# set filter filter_discard term 1 then count pkts_discarded user@host# set filter filter_discard term 1 then discard
Apply the Filters to a Logical Interface as an Input List and an Output List
Step-by-Step Procedure
To apply the six IPv4 firewall filters as a list of input filters and a list of output filters:
Navigate the CLI to the hierarchy level at which you apply IPv4 firewall filters to logical interface
ge-1/3/0.0
.[edit] user@host# edit interfaces ge-1/3/0 unit 0 family inet
Configure the IPv4 protocol family for the logical interface.
[edit interfaces ge-1/3/0 unit 0 family inet] user@host# set address 172.16.1.2/30
Apply the filters as a list of input filters.
[edit interfaces ge-1/3/0 unit 0 family inet] user@host# set filter input-list [ filter_FTP filter_SSH filter_Telnet filter_discard ]
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the firewall filters by entering the
show firewall
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter filter_FTP { term 0 { from { protocol tcp; destination-port 21; } then { count pkts_FTP; accept; } } } filter filter_SSH { term 0 { from { protocol tcp; destination-port 22; } then { count pkts_SSH; accept; } } } filter filter_Telnet { term 0 { from { protocol tcp; destination-port 23; } then { count pkts_Telnet; accept; } } } filter filter_discard { term 1 { then { count pkts_discarded; discard; } } } }
Confirm the configuration of the interface by entering the
show interfaces
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces ge-1/3/0 { unit 0 { family inet { filter { input-list [ filter_FTP filter_SSH filter_Telnet filter_discard ]; } address 172.16.1.2/30; } } }
If you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
Confirm that the configuration is working properly.
Verifying That Inbound Packets Are Accepted Only If Destined for the FTP, SSH or Telnet Port
Purpose
Verify that all three filters are active for the logical interface.
Action
To verify that input packets are accepted according to the three filters:
From the remote host that is connected to this router’s (or switch’s) logical interface
ge-1/3/0.0
, send a packet with destination port number 21 in the header. The packet should be accepted.From the remote host that is connected to this router’s (or switch’s) logical interface
ge-1/3/0.0
, send a packet with destination port number 22 in the header. The packet should be accepted.From the remote host that is connected to this router’s (or switch’s) logical interface
ge-1/3/0.0
, send a packet with destination port number 23 in the header. The packet should be accepted.From the remote host that is connected to this router’s (or switch’s) logical interface
ge-1/3/0.0
, send a packet with a destination port number other than 21, 22, or 23. The packet should be discarded.-
To display counter information for the list of filters applied to the input at
ge-1/3/0.0
enter theshow firewall filter ge-1/3/0.0-inet-i
operational mode command. The command output displays the number of bytes and packets that match filter terms associated with the following counters:-
pkts_FTP-ge-1/3/0.0-inet-i
-
pkts_SSH-ge-1/3/0.0-inet-i
-
pkts_Telnet-ge-1/3/0.0-inet-i
-
pkts_discard-ge-1/3/0.0-inet-i
-