1.

1 Firewall filter
- Often refers to as access control list (ACL) by other vendors.
- Firewall filter control the traffic entering and leaving a network device in a
stateless fashion.
- Processes every packet independently.
- Used to filter and monitor network traffic.
- primarily used to control transit traffic
- the system doesnot keep the state of connection
- must explicitly allow traffic in both direction
1.2 Building blocks of firewall filter
- User-defined filter and term names
- Firewall filter requires at least one term
- The software evaluates terms sequentially until it reaches
n
- from statement describe the matching conditions
- if all the match conditions are true, the filter takes the
thin the term
- if case of no match specified, all the traffic matches the
cted to the stated action
- always use a default term to discards all the traffic that
configure to pass through

a terminating actio
specified action wi
filter and is subje
are not explicitly

1.3 Common Match Conditions

- from statement describe the match condition
- Can match based on most header fields
- Match conditions categories
- Numeric range
- Address
- Bit field
- Processing fragments is more complicated with stateless firewall filter
- Several text synonym exist that function as a match conditions
- tcp-established match condition is a text synonym for tcp-flag ack or the tcpflag rst match conditions
2.1 Firewall Filter Actions
- then statement describe the actions to take if a match is found
- Common actions in Firewall filters
Terminating actions accept
discard - silently discard packet
reject - discard and send an ICMP message destination u
nreachable to the sender
can use an optional argument to send a differe
nt ICMP message
tcp-reset option will send a TCP reset but it will not s
end anything for Non-TCP packets
Flow control next term - useful to set a policer or diffserv code poi
nt value and still have the traffic evaluated by the rest of the filter
Action modifiers

count, log and syslog - to record informatio about packe

ts
forwarding-class and loss-priority - are used to specify
class of service (CoS)
policer
- The sotware discards all traffic not explicitly allowed !!
- Action modifires without a terminating action will accept the packet.
3.1 Implementing Firewall Filter
- Define firewall filters based on protocol familty under the [ edit firewall ]
hierarchy level
user@router> edit firewall family inet
user@router# show
filter filter-in {
term block-some-packets {
from {
source-address {
10.10.10.0/24;
}
}
then {
count spoof-in;
discardd;
}
term accept-others {
then accept;
}
}
- Apply firewall filters as input or output on an interface
Protocol family on interface and filter must match
You can apply filter to the lo0 logical interfaces to filter traffic destined
for the system
user@router> edit interfaces ge-0/0/1
user@router#show
unit 0 {
family inet {
filter {
input filter-in;
output filter-out;
}
address 172.17.8.9/30;
}
}
3.2 Filtering Local Traffic
- Apply filters to lo0 interface to filter local traffic

- filter must account for routing and managment protocols

- PFE applies these filters before traffic ever reaches the control plane
user@router > edit firewall family inet
user@router# show
filter limit-ssh-accept {
term ssh-accept {
from {
source-prefix-list {
trusted;
}
protocol tcp;
destination-port ssh;
}
then {
accept;
}
term ssh-reject {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term else-accept {
then accept;
}
4.1 Case Study : Objectives and Topology
- Outbound :
1. Discard and log all outbound traffic with any source address not belonging to
172.27.102.0/24
2. Allow and count all other traffic
user@router> edit firewall
user@router# set family inet
ess 0.0.0.0/24
user@router# set family inet
ess 172.27.102.0/24
user@router# set family inet
user@router# set family inet
user@router# set family inet

filter output-ff term deny-spoofed from source-addr

filter output-ff term deny-spoofed from source-addr
filter output-ff term deny-spoofed then log
filter output-ff term deny-spoofed then discard
filter output-ff term else-accept then accept

root# show | compare

[edit firewall]
+ family inet {
+
filter output-ff {
+
term deny-spoofed {
+
from {
+
source-address {
+
0.0.0.0/24;

+
+
+
+
+
+
+
+
+
+
+
+
+ }

172.27.102.0/24;
}
}
then {
log;
discard;
}
}
term else-accept {
then accept;
}
}

[edit firewall]
user@router# edit interfaces ge-0/0/1
user@router# set unit 0 family-inet filter output output-ff
user@router# set unit 0 family-inet address 172.30.25.2/30
4.3 Policing
- Policing ( rate - limiting ) enables you to limit the amount of traffic that p
asses into or out of an interface
- Works with a firewall filters to prevent DoS attacks
- Common actions include discard and setting loss-priority level
- Uses average bandwidth and maximum burst size
bandwidth-limit - it's in bit per second = 10mbps = 100 000 000
burst-size-limit - its in bytes
Calculation: burstsize = bandwidth (100,000 000) x allowable burst time ( 5/1
000)
= 500000 bits
= 500000/8 = 62500 bytes
- The following firewall filter policies all TCP traffic that exceeds 10 Mbps wi
th a 62500 byte burst size
It places traffic that exceeds these limits in the best-effort forwarding clas
s
[edit firewall]
+ family inet {
+
filter example1 {
+
term policer-example {
+
from {
+
protocol tcp;
+
}
+
}
+
then {
+
policer class-example;
forwarding-class assured-forwarding;
accept;
+

+
+
+ }

}
}

[edit firewall]show
policer class-example {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 62500;
}
then forwaring-class best-effort;
}
5.1 Unicast RPF Check
- The unicast reverse path forwarding checks validate packet receipt on interfac
es where the Junos OS would expect to receive such traffic
- Activating this feature increases PFE memory usage
- Strict (default) - accept packet if
- the packet's source address matches an active router
- The next hop of the active route uses the interface on whic
h the packet arrived
- Loose - accept packet if
- The packet's source address matches a prefix in the routing
table
- if the default route is present, packets always match loose
mode
5.2 Active versus feasible paths ( strict mode )
- By default the software checks only active paths to a prefix which can cause d
rops when multiple paths exist
- Enable the option to consider all feasible paths ( say in case of asymetric ro
uting where different forward and reverse path exists
user@router# edit routing-options
user@router# show
forwarding table {
unicast-reverse-path feasible-path;
}
- Configure the RPF check only at the edge devices
5.3 Fail Filter
- Allows to accept, log or count traffic normally denied
- Required to permit DHCP or BOOTP traffic - denied by default by RPF
user@router# edit firewall family inet
user@router# set filter rpf-dhcp term from source-address 0.0.0.0/32
user@router# set filter rpf-dhcp term from destination-address 255.255.255.255/3
2

user@router# set filter rpf-dhcp term then accept

- Enable RPF check on interface
user@router# edit interfaces ge-0/1/2 unit 0
user@router# set family inet rpf-check fail-filter rpf-dhcp
user@router# set family inet address 172.17.7.23/24