This example shows how to create a stateless firewall filter that protects the Routing Engine from traffic originating from untrusted sources.
• Requirements on page 115
• Overview on page 115
• Configuration on page 115
• Verification on page 118
Requirements
No special configuration beyond device initialization is required before configuring stateless firewall filters.
Overview
In this example, you create a stateless firewall filter called protect-RE that discards all traffic destined for the Routing Engine except SSH and BGP protocol packets from specified trusted sources. This example includes the following firewall filter terms:
• ssh-term—Accepts TCP packets with a source address of 192.168.122.0/24 and a destination port that specifies SSH.
• bgp-term—Accepts TCP packets with a source address of 10.2.1.0/24 and a destination port that specifies BGP.
• discard-rest-term—For all packets that are not accepted by ssh-term or bgp-term, creates a firewall filter log and system logging records, then discards all packets.
NOTE:You can move terms within the firewall filter using the insert command.
See insert in the CLI User Guide.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set firewall family inet filter protect-RE term ssh-term from source-address 192.168.122.0/24
set firewall family inet filter protect-RE term ssh-term from protocol tcp set firewall family inet filter protect-RE term ssh-term from destination-port ssh set firewall family inet filter protect-RE term ssh-term then accept
set firewall family inet filter protect-RE term bgp-term from source-address 10.2.1.0/24 Chapter 3: Applying Firewall Filters to Routing Engine Traffic
set firewall family inet filter protect-RE term bgp-term from protocol tcp
set firewall family inet filter protect-RE term bgp-term from destination-port bgp set firewall family inet filter protect-RE term bgp-term then accept
set firewall family inet filter protect-RE term discard-rest-term then log set firewall family inet filter protect-RE term discard-rest-term then syslog set firewall family inet filter protect-RE term discard-rest-term then discard set interfaces lo0 unit 0 family inet filter input protect-RE
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see“Using the CLI Editor in Configuration Mode” on page 5in the CLI User Guide.
To configure the stateless firewall filter:
1. Create the stateless firewall filter.
[edit]
user@host# edit firewall family inet filter protect-RE 2. Create the first filter term.
[edit firewall family inet filter protect-RE]
user@host# edit term ssh-term
3. Define the protocol, destination port, and source address match conditions for the term.
[edit firewall family inet filter protect-RE term ssh-term]
user@host# set from protocol tcp destination-port ssh source-address 192.168.122.0/24
4. Define the actions for the term.
[edit firewall family inet filter protect-RE term ssh-term]
user@host# set then accept 5. Create the second filter term.
[edit firewall family inet filter protect-RE]
user@host# edit term bgp-term
6. Define the protocol, destination port, and source address match conditions for the term.
[edit firewall family inet filter protect-RE term bgp-term]
user@host# set from protocol tcp destination-port bgp source-address 10.2.1.0/24 7. Define the action for the term.
[edit firewall family inet filter protect-RE term bgp-term]
user@host# set then accept 8. Create the third filter term.
[edit firewall family inet filter protect-RE]
user@host# edit term discard-rest-term 9. Define the action for the term.
[edit firewall family inet filter protect-RE term discard-rest]
user@host# set then log syslog discard
10. Apply the filter to the input side of the Routing Engine interface.
[edit]
user@host# set interfaces lo0 unit 0 family inet filter input protect-RE
Results Confirm your configuration by entering the show firewall command and the show interfaces lo0command from configuration mode. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
user@host# show firewall
If you are done configuring the device, enter commit from configuration mode.
[edit]
Chapter 3: Applying Firewall Filters to Routing Engine Traffic
user@host# commit
Verification
To confirm that the configuration is working properly, perform these tasks:
• Displaying Stateless Firewall Filter Configurations on page 118
• Verifying a Services, Protocols, and Trusted Sources Firewall Filter on page 118
• Displaying Stateless Firewall Filter Logs on page 119
Displaying Stateless Firewall Filter Configurations Purpose Verify the configuration of the firewall filter.
Action From configuration mode, enter the show firewall command and the show interfaces lo0 command.
Meaning Verify that the output shows the intended configuration of the firewall filter. In addition, verify that the terms are listed in the order in which you want the packets to be tested.
You can move terms within a firewall filter by using the insert CLI command.
Verifying a Services, Protocols, and Trusted Sources Firewall Filter Purpose Verify that the actions of the firewall filter terms are taken.
Action Send packets to the device that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.
• Use the ssh host-name command from a host at an IP address that matches
192.168.122.0/24to verify that you can log in to the device using only SSH from a host with this address prefix.
• Use the show route summary command to verify that the routing table on the device does not contain any entries with a protocol other than Direct, Local, BGP, or Static.