Reordering Firewall Terms

Problem

You want to change the order of terms in a firewall filter.

Solution

Use the CLI insert command to rearrange the terms in a firewall filter:

	[edit firewall filter incoming-to-me ]
	aviva@RouterF# insert term restrict-bgp before term restrict-telnet-ssh 

 

Discussion

One difference between routing policies and firewall filters is that while you can apply several routing policies to a routing protocol, chaining them together as necessary, you can apply only one incoming and one outgoing firewall filter to an interface. This means that firewall filters generally contain a large number of terms.

As with routing policies, the order of the terms in a firewall filter is significant. Packets are tested against each term in the order. For performance and packet-handling efficiency, design each filter so the most important or time-critical packets are processed first. When you add a term to an existing filter, it appears at the end:

	[edit firewall filter incoming-to-me]
	aviva@router1# set term restrict-bgp from protocol tcp
	aviva@router1# set term restrict-bgp from port bgp
	aviva@router1# set term restrict-bgp from source-address 10.0.31.0/24
	aviva@router1# set term restrict-bgp then accept
	aviva@router1# show
	term restrict-telnet-ssh {
	 from {
	 source-address {
	 10.0.0.0/8;
	 }
	 protocol tcp;
	 destination-port [ telnet ssh ];
	 }
	 then accept;
	}
	term restrict-bgp {
	 from {
	 source-address {
	 10.0.31.0/24;
	 }
	 protocol tcp;
	 port bgp;
	 }
	 then accept;
	}

Use the insert command to rearrange the terms. The command in this recipe moves the restrict-bgp term so that it precedes the restrict-telnet-ssh term. Check that the order is what you expect:

	[edit firewall filter incoming-to-me ]
	aviva@RouterF# show 
	term restrict-bgp {
	 from {
	 source-address {
	 10.0.31.0/24;
	 }
	 protocol tcp;
	 port bgp;
	 }
	 then accept;
	}
	term restrict-telnet-ssh {
	 from {
	 source-address {
	 10.0.0.0/8;
	 }
	 protocol tcp;
	 destination-port [ telnet ssh ];
	 }
	 then accept;
	}



Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net