Filtering Traffic Transiting the Router


For traffic transiting through the router, you want to accept packets only from trusted hosts and routers.


Create a firewall filter for all incoming traffic to the router that will be used on interfaces facing the Internet. The filter contains a number of terms for different types of packets and for specific addresses.

The first term discards unwanted traffic from specific addresses:

	[edit firewall incoming-to-me]
	aviva@RouterF# set term reject-addresses from source-address
	aviva@RouterF# set term reject-addresses from source-address
	aviva@RouterF# set term reject-addresses then discard

The second term accepts traffic from BGP peers:

	[edit firewall filter incoming-to-me]
	aviva@RouterF# set term bgp-peers from destination-address
	aviva@RouterF# set term bgp-peers from protocol tcp
	aviva@RouterF# set term bgp-peers from port bgp
	aviva@RouterF# set term bgp-peers from tcp-established
	aviva@RouterF# set term bgp-peers then accept

The third term accepts all ICMP traffic:

	[edit firewall filter incoming-to-me ]
	aviva@RouterF# set term icmp from protocol icmp 
	aviva@RouterF# set term icmp then accept 

The last term accepts all other packets:

	[edit firewall filter incoming-to-me ]
	aviva@RouterF# set term final-accept then accept 

For the filter to take effect, apply it to an Internet-facing interface:

	[edit interfaces t1-0/0/3 ]
	aviva@RouterF# set unit 0 family inet filter input incoming-to-me 



There are two basic ways to design a firewall filter. One way is to block packets and traffic that the router shouldn't receive and accept everything else, which is how the filter in this recipe operates. This type of filter design is fairly intuitive and, as you can see from this recipe, these filters are reasonably short and fairly easy to configure. One downside to this approach is that if you forget to block a particular type of traffic, you are opening yourself up to security breaches. The second design philosophy, of accepting only desired traffic and blocking everything else, is discussed in Recipe 9.15.

This recipe is for an EBGP edge router that connects to the Internet. The filter is very straightforward, accepting all packets except for traffic coming from a few IP prefixes.

Firewall filter terms are evaluated in order, so place the terms at the beginning of the filter that you want executed first. The first term in this recipe, reject-addresses, looks for packets from two networks that you never want to accept traffic from and immediately discards them, dropping them without sending any notification to the sender. Placing this term at the top of the filter improves the packet-processing efficiency of the interface.

The second term, bgp-peers, accepts BGP traffic only from the specified peer. The conditions in this term look for TCP protocol traffic from the BGP port and match TCP connections that have been established. Again, all BGP traffic is accepted by the final term, so including a separate term for the router's BGP peer just speeds up the processing of traffic from the peer.

The final term, ospf, accepts all OSPF traffic. You might wonder why you need this term when the final term will also accept OSPF traffic. The only reason to do this is that you want OSPF traffic to be handled more quickly than the other remaining traffic. If other operations on your network are time-critical, include them early in the filter. If you are going to apply this filter to a high-speed interface or to traffic flowing at a high rate, you gain efficiency from this type of firewall filter design.

The last term in the filter accepts all other traffic. It is important to note that you must be very cognizant of what you are enabling and what the other protocols are that run on the router when you design firewall filters that, as a last term, accept all other traffic. While this example illustrates a way to design filters that is easy and intuitive, it is generally better practice to explicitly accept what you want and discard everything else. Recipe 9.15 illustrates this firewall filter design approach.

As the last step in the configuration, apply the filter to an interface, here the t1-0/0/3 interface. The set filter input command applies the filter to incoming traffic. To apply a filter to traffic going out of the interface, use the set filter output command.

Here's the entire configuration to show all the contents together:

	[edit firewall]
	aviva@RouterF# show
	filter incoming-to-me {
	 term reject-addresses {
	 from {
	 source-address {;;
	 then {
	 term ospf {
	 from {
	 protocol ospf;
	 then accept;
	 term bgp-peers {
	 from {
	 destination-address {;
	 protocol tcp;
	 port bgp;
	 then accept;
	 term final-accept {
	 then accept;
	[edit interfaces]
	t1-0/0/3 {
	 unit 0 {
	 family inet {
	 filter {
	 input incoming-to-me;

Use the show interfaces command to check that the filter is configured:

	aviva@RouterF> show interfaces t1-0/0/3.0 detail
	 Logical interface t1-0/0/3.0 (Index 70) (SNMP ifIndex 40) (Generation 24)
	 Flags: Point-To-Point SNMP-Traps Encapsulation: PPP
	 Protocol inet, MTU: 1500, Generation: 31, Route table: 0
	 Flags: None
	 Filters: Input: incoming-to-me
	 Addresses, Flags: Is-Preferred Is-Primary
	 Destination: 10.0.31/24, Local:, Broadcast:,
	 Generation: 63

Looking at the logical interface, which is where information about the address family is displayed, you can see which firewall filters are applied to the interface.

See Also

Recipe 9.15

Router Configuration and File Management

Basic Router Security and Access Control





Router Interfaces

IP Routing

Routing Policy and Firewall Filters







IP Multicast

JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett © 2008-2020.
If you may any questions please contact us: