Example: Configuring a Filter to Block TFTP Access

3. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the telnet hostnamecommand to verify that you can log in to the device using only Telnet. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the PFE.

user@host-B> telnet myhost Trying 192.168.249.71...

telnet: connect to address 192.168.187.3: Connection refused telnet: Unable to connect to remote host

4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.

user@myhost> show firewall log

Time Filter Action Interface Protocol Src Addr Dest Addr 18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 ...

18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 ...

Example: Configuring a Filter to Block TFTP Access

• Requirements on page 125

• Overview on page 125

• Configuration on page 125

• Verification on page 127

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

By default, to decrease vulnerability to denial-of-service (DoS) attacks, the Junos OS filters and discards Dynamic Host Configuration Protocol (DHCP) or Bootstrap Protocol (BOOTP) packets that have a source address of 0.0.0.0 and a destination address of 255.255.255.255. This default filter is known as a unicast RPF check. However, some vendors’ equipment automatically accepts these packets.

To interoperate with other vendors' equipment, you can configure a filter that checks for both of these addresses and overrides the default RPF-check filter by accepting these packets. In this example, you block Trivial File Transfer Protocol (TFTP) access, logging any attempts to establish TFTP connections.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see“Using the CLI Editor in Configuration Mode” on page 5.

To configure this example, perform the following tasks:

• Configure the Stateless Firewall Filter on page 125

• Apply the Firewall Filter to the Loopback Interface on page 126

• Confirm and Commit Your Candidate Configuration on page 126 CLI Quick

Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit]

hierarchy level.

set firewall family inet filter tftp_access_control term one from protocol udp set firewall family inet filter tftp_access_control term one from port tftp set firewall family inet filter tftp_access_control term one then log set firewall family inet filter tftp_access_control term one then discard set interfaces lo0 unit 0 family inet filter input tftp_access_control set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Configure the Stateless Firewall Filter Step-by-Step

Procedure

To configure the stateless firewall filter that selectively blocks TFTP access:

Create the stateless firewall filter tftp_access_control.

[edit]

user@host# edit firewall family inet filter tftp_access_control

Chapter 3: Applying Firewall Filters to Routing Engine Traffic

2. Specify a match on packets received on UDP port 69.

[edit firewall family inet filter tftp_access_control]

user@host# set term one from protocol udp user@host# set term one from port tftp

3. Specify that matched packets be logged to the buffer on the Packet Forwarding Engine and then discarded.

[edit firewall family inet filter tftp_access_control]

user@host# set term one then log user@host# set term one then discard

Apply the Firewall Filter to the Loopback Interface Step-by-Step

Procedure

To apply the firewall filter to the loopback interface:

[edit]

•

user@host# set interfaces lo0 unit 0 family inet filter input tftp_access_control user@host# set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Confirm and Commit Your Candidate Configuration Step-by-Step

Procedure

To confirm and then commit your candidate configuration:

Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

[edit]

user@host# show firewall family inet {

filter tftp_access_control { term one {

from {

protocol udp;

port tftp;

} then {

log;

discard;

} } } }

2. Confirm the configuration of the interface by entering the show interfaces

configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

[edit]

user@host# show interfaces lo0 {

unit 0 { family inet {

filter {

input tftp_access_control;

}

address 127.0.0.1/32;

} } }

3. If you are done configuring the device, commit your candidate configuration.

[edit]

user@host# commit

Verification

Confirm that the configuration is operating properly:

• Verifying Logged and Discarded Packets on page 127

Verifying Logged and Discarded Packets

Purpose Verify that the actions of the firewall filter terms are taken.

Action To

1. Clear the firewall log on your router or switch.

user@myhost> clear firewall log

2. From another host, send a packet to UDP port 69 on this router or switch.