Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring a Stateless Firewall Filter to Handle Fragments

This example shows how to create a stateless firewall filter that handles packet fragments.

Requirements

No special configuration beyond device initialization is required before configuring stateless firewall filters.

Overview

In this example, you create a stateless firewall filter called fragment-RE that accepts fragmented packets originating from 10.2.1.0/24 and destined for the BGP port. This example includes the following firewall filter terms:

  • not-from-prefix-term-–Discards packets that are not from 10.2.1.0/24 to ensure that subsequent terms in the firewall filter are matched against packets from 10.2.1.0/24 only.

  • small-offset-term—Discards small (1–5) offset packets to ensure that subsequent terms in the firewall filter can be matched against all the headers in the packet. In addition, the term adds a record to the system logging destinations for the firewall facility.

  • not-fragmented-term—Accepts unfragmented TCP packets with a destination port that specifies the BGP protocol. A packet is considered unfragmented if the MF flag is not set and the fragment offset equals 0.

  • first-fragment-term—Accepts the first fragment of a fragmented TCP packet with a destination port that specifies the BGP protocol.

  • fragment-term—Accepts all fragments that were not discarded by small-offset-term. (packet fragments 6–8191). However, only those fragments that are part of a packet containing a first fragment accepted by first-fragment-term are reassembled by the destination device.

Packet fragments offset can be from 1 through 8191.

Note:

You can move terms within the firewall filter by using the insert command. For more information, see “insert” in the Junos OS CLI User Guide.

Topology

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Use the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the stateless firewall filter:

  1. Define the stateless firewall filter.

  2. Configure the first term for the filter.

  3. Define the second term for the filter.

  4. Define the match conditions for the term.

  5. Define the action for the term.

  6. Define the third term for the filter.

  7. Define the match conditions for the term.

  8. Define the action for the term.

  9. Define the fourth term for the filter.

  10. Define the match conditions for the term.

  11. Define the action for the term.

  12. Define the last term for the filter.

  13. Define the match conditions for the term.

  14. Define the action for the term.

Results

Confirm your configuration by entering the show firewall command from configuration mode. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Displaying Stateless Firewall Filter Configurations

Purpose

Verify the configuration of the firewall filter. You can analyze the flow of the filter terms by displaying the entire configuration.

Action

From configuration mode, enter the show firewall command.

Meaning

Verify that the output shows the intended configuration of the firewall filter. In addition, verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Verifying a Firewall Filter that Handles Fragments

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

Send packets to the device that match the terms.

Meaning

Verify that packets from 10.2.1.0/24 with small fragment offsets are recorded in the device’s system logging destinations for the firewall facility.