| 0 comments ]

This post will show example of configuring firewall filter to protect routing engine in Juniper.  In Junos, to protect router itself (local routing engine) against attack, like DDoS attack, and TCP Sync attack, or unauthorized access, can be created using firewall filter then apply filter in loopback interface. This post will describe examples for protecting local routing engine against unauthorized access, also icmp, and tcp floods.

Protecting Local Routing Engine Against Unauthorized Access
Creating Firewall Filter

[edit]
firewall {
filter protect-RE {
term trusted-telnet {
from {
source-address {
192.168.1.0/24;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
term untrusted-telnet {
from {
protocol tcp;
destination-port telnet;
}
then {
reject;
}
}
term all-traffic {
then accept;
}
}

Protecting Local Routing Engine Against ICMP and TCP Floods
Creating Firewall Filter and ICMP and TCP Policer

[edit]
firewall {
filter protect-RE {
policer small-bw-policer {
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 16k;
}
then discard;
}
term protect-icmp-flooding {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];
}
then {
policer small-bw-policer;
accept;
}
}
term all-traffic {
then accept;
}
}


Apply Filter in Loopback Interface

[edit]
interface loopback 0 unit 0{
family inet {
filter {
input protect-RE;
}
address 192.168.255.254/32;
}

Those firewalls filter above can be configured in one firewall filter like this:

[edit]
firewall {
filter protect-RE {
policer small-bw-policer {
if-exceeding {
bandwidth-limit 4m;
burst-size-limit 16k;
}
then discard;
}

term trusted-telnet {
from {
source-address {
192.168.1.0/24;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
term untrusted-telnet {
from {
protocol tcp;
destination-port telnet;
}
then {
reject;
}
}
term protect-icmp-flooding {
from {
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded ];
}
then {
policer small-bw-policer;
accept;
}
}
term all-traffic {
then accept;
}
}

Remember, always configure term statement with accept condition in the end of policy so that others traffics are not blocked.

0 comments

Post a Comment