ON THIS PAGE
Example: Configuring a Stateless Firewall Filter to Handle Fragments
This example shows how to create a stateless firewall filter that handles packet fragments.
Requirements
No special configuration beyond device initialization is required before configuring stateless firewall filters.
Overview
In this example, you create a stateless firewall filter
called fragment-RE
that accepts fragmented packets originating
from 10.2.1.0/24 and destined for the BGP port. This example includes
the following firewall filter terms:
not-from-prefix-term
-–Discards packets that are not from 10.2.1.0/24 to ensure that subsequent terms in the firewall filter are matched against packets from 10.2.1.0/24 only.small-offset-term
—Discards small (1–5) offset packets to ensure that subsequent terms in the firewall filter can be matched against all the headers in the packet. In addition, the term adds a record to the system logging destinations for the firewall facility.not-fragmented-term
—Accepts unfragmented TCP packets with a destination port that specifies the BGP protocol. A packet is considered unfragmented if the MF flag is not set and the fragment offset equals 0.first-fragment-term
—Accepts the first fragment of a fragmented TCP packet with a destination port that specifies the BGP protocol.fragment-term
—Accepts all fragments that were not discarded bysmall-offset-term
. (packet fragments 6–8191). However, only those fragments that are part of a packet containing a first fragment accepted byfirst-fragment-term
are reassembled by the destination device.
Packet fragments offset can be from 1 through 8191.
You can move terms within the firewall filter by using
the insert
command. For more information, see “insert” in the Junos OS CLI User Guide.
Topology
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level.
set firewall family inet filter fragment-RE term not-from-prefix-term from source-address 0.0.0.0/0 set firewall family inet filter fragment-RE term not-from-prefix-term from source-address 10.2.1.0/24 except set firewall family inet filter fragment-RE term not-from-prefix-term then discard set firewall family inet filter fragment-RE term small-offset-term from fragment-offset 1-5 set firewall family inet filter fragment-RE term small-offset-term then syslog set firewall family inet filter fragment-RE term small-offset-term then discard set firewall family inet filter fragment-RE term not-fragmented-term from fragment-offset 0 set firewall family inet filter fragment-RE term not-fragmented-term from fragment-flags "!more-fragments" set firewall family inet filter fragment-RE term not-fragmented-term from protocol tcp set firewall family inet filter fragment-RE term not-fragmented-term from destination-port bgp set firewall family inet filter fragment-RE term not-fragmented-term then accept set firewall family inet filter fragment-RE term first-fragment-term from first-fragment set firewall family inet filter fragment-RE term first-fragment-term from protocol tcp set firewall family inet filter fragment-RE term first-fragment-term from destination-port bgp set firewall family inet filter fragment-RE term first-fragment-term then accept set firewall family inet filter fragment-RE term fragment-term from fragment-offset 6-8191 set firewall family inet filter fragment-RE term fragment-term then accept
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Use the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure the stateless firewall filter:
Define the stateless firewall filter.
[edit] user@host# edit firewall family inet filter fragment-RE
Configure the first term for the filter.
[edit firewall family inet filter fragment-RE ] user@host# set term not-from-prefix-term from source-address 0.0.0.0/0 user@host# set term not-from-prefix-term from source-address 10.2.1.0/24 except user@host# set term not-from-prefix-term then discard
Define the second term for the filter.
[edit firewall family inet filter fragment-RE] user@host# edit term small-offset-term
Define the match conditions for the term.
[edit firewall family inet filter fragment-RE term small-offset-term] user@host# set from fragment-offset 1-5
Define the action for the term.
[edit firewall family inet filter fragment-RE term small-offset-term] user@host# set then syslog discard
Define the third term for the filter.
[edit] user@host# edit firewall family inet filter fragment-RE term not-fragmented-term
Define the match conditions for the term.
[edit firewall family inet filter fragment-RE term not-fragmented-term] user@host# set from fragment-flags "!more-fragments" fragment-offset 0 protocol tcp destination-port bgp
Define the action for the term.
[edit firewall family inet filter fragment-RE term not-fragmented-term] user@host# set then accept
Define the fourth term for the filter.
[edit] user@host# edit firewall family inet filter fragment-RE term first-fragment-term
Define the match conditions for the term.
[edit firewall family inet filter fragment-RE term first-fragment-term] user@host# set from first-fragment protocol tcp destination-port bgp
Define the action for the term.
[edit firewall family inet filter fragment-RE term first-fragment-term] user@host# set then accept
Define the last term for the filter.
[edit] user@host# edit firewall family inet filter fragment-RE term fragment-term
Define the match conditions for the term.
[edit firewall family inet filter fragment-RE term fragment-term] user@host# set from fragment-offset 6–8191
Define the action for the term.
[edit firewall family inet filter fragment-RE term fragment-term] user@host# set then accept
Results
Confirm your configuration by entering the show
firewall
command from configuration mode. If the output does
not display the intended configuration, repeat the instructions in
this example to correct the configuration.
user@host# show firewall family inet { filter fragment-RE { term not-from-prefix-term { from { source-address { 0.0.0.0/0; 10.2.1.0/24 except; } } then discard; } term small-offset-term { from { fragment-offset 1-5; } then { syslog; discard; } } term not-fragmented-term { from { fragment-offset 0; fragment-flags "!more-fragments"; protocol tcp; destination-port bgp; } then accept; } term first-fragment-term { from { first-fragment; protocol tcp; destination-port bgp; } then accept; } term fragment-term { from { fragment-offset 6-8191; } then accept; } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Displaying Stateless Firewall Filter Configurations
- Verifying a Firewall Filter that Handles Fragments
Displaying Stateless Firewall Filter Configurations
Purpose
Verify the configuration of the firewall filter. You can analyze the flow of the filter terms by displaying the entire configuration.
Action
From configuration mode, enter the show firewall
command.
Meaning
Verify that the output shows the intended configuration
of the firewall filter. In addition, verify that the terms are listed
in the order in which you want the packets to be tested. You can move
terms within a firewall filter by using the insert
CLI
command.
Verifying a Firewall Filter that Handles Fragments
Purpose
Verify that the actions of the firewall filter terms are taken.
Action
Send packets to the device that match the terms.
Meaning
Verify that packets from 10.2.1.0/24 with small fragment offsets are recorded in the device’s system logging destinations for the firewall facility.