Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 Firewall filter
- Often refers to as access control list (ACL) by other vendors.
- Firewall filter control the traffic entering and leaving a network device in a
stateless fashion.
- Processes every packet independently.
- Used to filter and monitor network traffic.
- primarily used to control transit traffic
- the system doesnot keep the state of connection
- must explicitly allow traffic in both direction
1.2 Building blocks of firewall filter
- User-defined filter and term names
- Firewall filter requires at least one term
- The software evaluates terms sequentially until it reaches
n
- from statement describe the matching conditions
- if all the match conditions are true, the filter takes the
thin the term
- if case of no match specified, all the traffic matches the
cted to the stated action
- always use a default term to discards all the traffic that
configure to pass through
a terminating actio
specified action wi
filter and is subje
are not explicitly
+
+
+
+
+
+
+
+
+
+
+
+
+ }
172.27.102.0/24;
}
}
then {
log;
discard;
}
}
term else-accept {
then accept;
}
}
[edit firewall]
user@router# edit interfaces ge-0/0/1
user@router# set unit 0 family-inet filter output output-ff
user@router# set unit 0 family-inet address 172.30.25.2/30
4.3 Policing
- Policing ( rate - limiting ) enables you to limit the amount of traffic that p
asses into or out of an interface
- Works with a firewall filters to prevent DoS attacks
- Common actions include discard and setting loss-priority level
- Uses average bandwidth and maximum burst size
bandwidth-limit - it's in bit per second = 10mbps = 100 000 000
burst-size-limit - its in bytes
Calculation: burstsize = bandwidth (100,000 000) x allowable burst time ( 5/1
000)
= 500000 bits
= 500000/8 = 62500 bytes
- The following firewall filter policies all TCP traffic that exceeds 10 Mbps wi
th a 62500 byte burst size
It places traffic that exceeds these limits in the best-effort forwarding clas
s
[edit firewall]
+ family inet {
+
filter example1 {
+
term policer-example {
+
from {
+
protocol tcp;
+
}
+
}
+
then {
+
policer class-example;
forwarding-class assured-forwarding;
accept;
+
+
+
+ }
}
}
[edit firewall]show
policer class-example {
if-exceeding {
bandwidth-limit 100m;
burst-size-limit 62500;
}
then forwaring-class best-effort;
}
5.1 Unicast RPF Check
- The unicast reverse path forwarding checks validate packet receipt on interfac
es where the Junos OS would expect to receive such traffic
- Activating this feature increases PFE memory usage
- Strict (default) - accept packet if
- the packet's source address matches an active router
- The next hop of the active route uses the interface on whic
h the packet arrived
- Loose - accept packet if
- The packet's source address matches a prefix in the routing
table
- if the default route is present, packets always match loose
mode
5.2 Active versus feasible paths ( strict mode )
- By default the software checks only active paths to a prefix which can cause d
rops when multiple paths exist
- Enable the option to consider all feasible paths ( say in case of asymetric ro
uting where different forward and reverse path exists
user@router# edit routing-options
user@router# show
forwarding table {
unicast-reverse-path feasible-path;
}
- Configure the RPF check only at the edge devices
5.3 Fail Filter
- Allows to accept, log or count traffic normally denied
- Required to permit DHCP or BOOTP traffic - denied by default by RPF
user@router# edit firewall family inet
user@router# set filter rpf-dhcp term from source-address 0.0.0.0/32
user@router# set filter rpf-dhcp term from destination-address 255.255.255.255/3
2