ON THIS PAGE
Example: Configuring a Filter to Block TFTP Access
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
By default, to decrease vulnerability to denial-of-service (DoS) attacks, the Junos OS filters and discards Dynamic Host Configuration Protocol (DHCP) or Bootstrap Protocol (BOOTP) packets that have a source address of 0.0.0.0 and a destination address of 255.255.255.255. This default filter is known as a unicast RPF check. However, some vendors’ equipment automatically accepts these packets.
Topology
To interoperate with other vendors' equipment, you can configure a filter that checks for both of these addresses and overrides the default RPF-check filter by accepting these packets. In this example, you block Trivial File Transfer Protocol (TFTP) access, logging any attempts to establish TFTP connections.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configure the Stateless Firewall Filter
- Apply the Firewall Filter to the Loopback Interface
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following configuration commands
into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit]
hierarchy level.
set firewall family inet filter tftp_access_control term one from protocol udp set firewall family inet filter tftp_access_control term one from port tftp set firewall family inet filter tftp_access_control term one then log set firewall family inet filter tftp_access_control term one then discard set interfaces lo0 unit 0 family inet filter input tftp_access_control set interfaces lo0 unit 0 family inet address 127.0.0.1/32
Configure the Stateless Firewall Filter
Step-by-Step Procedure
To configure the stateless firewall filter that selectively blocks TFTP access:
Create the stateless firewall filter
tftp_access_control
.[edit] user@host# edit firewall family inet filter tftp_access_control
Specify a match on packets received on UDP port 69.
[edit firewall family inet filter tftp_access_control] user@host# set term one from protocol udp user@host# set term one from port tftp
Specify that matched packets be logged to the buffer on the Packet Forwarding Engine and then discarded.
[edit firewall family inet filter tftp_access_control] user@host# set term one then log user@host# set term one then discard
Apply the Firewall Filter to the Loopback Interface
Step-by-Step Procedure
To apply the firewall filter to the loopback interface:
[edit] user@host# set interfaces lo0 unit 0 family inet filter input tftp_access_control user@host# set interfaces lo0 unit 0 family inet address 127.0.0.1/32
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the stateless firewall filter by entering the
show firewall
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter tftp_access_control { term one { from { protocol udp; port tftp; } then { log; discard; } } } }
Confirm the configuration of the interface by entering the
show interfaces
configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces lo0 { unit 0 { family inet { filter { input tftp_access_control; } address 127.0.0.1/32; } } }
If you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
Confirm that the configuration is operating properly: