Protect RE – Configuring the Protect RE Filter
Intro
In this post we will configure firewall filters to control traffic destined to the Routing Engine. As mentioned in the previous post, Common Network Protocols, we must know how the protocols work, how they are transported through the network, and how you can match them in the firewall filter. But before starting with the Protect RE configuration, let’s quickly review some basic JunOS firewall concepts.
Junos OS Firewall
Firewall filters are stateless filters that can be applied to transit traffic and also the traffic entering or leaving the router itself. Firewall filters can perform several actions on the traffic that is matching the configured rules. We can build a firewall filter using one or more (named) terms. Each term can include multiple match conditions and one or multiple actions. If no traffic is matched by any of the terms, there is an implicit rule that discards all traffic. This last rule is hidden and not displayed into the configuration.
Firewall filters are evaluated sequentially from top to down. If a match is found, the actions are performed. The actions can be either terminating or non-terminating. Firewall filters match on different conditions for the different protocol families. If you configure the filter without a protocol family, Junos identifies it as a family inet filter matching IPv4 traffic by default.
You can match different conditions in firewall filters, including source or destination IP addresses, IP subnets, Layer 4 protocols, source or destination ports, QoS settings, and many others. Some of the actions applied to the matched traffic include:
- Accept – Packet is accepted.
- Discard – Packet is silently dropped.
- Reject – Packet is rejected and an ICMP message is generated.
- Policer – Rate-limit is applied to the traffic.
- Log – Logs the packet header directly on the PFE.
- Count – Counts the matched packets.
If you want to read more about the firewall filters you can start with the official documentation at Firewall Filters Overview and explore further the related documentation on that link.
Protect RE configuration
Let’s fully dive in.
We will start by configuring an IPv4 firewall filter that will allow the following protocols: VRRP, OSPF, LDP. We will see already that configuration can be different between protocols because of the way the operate:
set firewall family inet filter RE-PROTECT term BFD from protocol udp
set firewall family inet filter RE-PROTECT term BFD from port 3784
set firewall family inet filter RE-PROTECT term BFD from port 3785
set firewall family inet filter RE-PROTECT term BFD from port 6785
set firewall family inet filter RE-PROTECT term BFD then accept
#
set firewall family inet filter RE-PROTECT term VRRP from protocol vrrp
set firewall family inet filter RE-PROTECT term VRRP then accept
#
set firewall family inet filter RE-PROTECT term OSPF from protocol ospf
set firewall family inet filter RE-PROTECT term OSPF then accept
#
set firewall family inet filter RE-PROTECT term LDP from protocol udp
set firewall family inet filter RE-PROTECT term LDP from protocol tcp
set firewall family inet filter RE-PROTECT term LDP from port ldp
set firewall family inet filter RE-PROTECT term LDP then acceptWe will configure the NTP protocol, but we also want to accept connections only from specific sources:
set firewall family inet filter RE-PROTECT term NTP from protocol udp
set firewall family inet filter RE-PROTECT term NTP from port ntp
set firewall family inet filter RE-PROTECT term NTP from source-address 17.0.0.0/24
set firewall family inet filter RE-PROTECT term NTP then acceptThe same is needed for the SSH protocol, but this time we have multiple sources, so we will use a prefix list instead of listing all sources in the same term:
set policy-options prefix-list SSH-SOURCES 17.0.0.0/24
set policy-options prefix-list SSH-SOURCES 17.1.0.0/24
set policy-options prefix-list SSH-SOURCES 17.2.0.0/24
set policy-options prefix-list SSH-SOURCES 18.0.0.0/24
set firewall family inet filter RE-PROTECT term SSH from protocol tcp
set firewall family inet filter RE-PROTECT term SSH from port ssh
set firewall family inet filter RE-PROTECT term SSH from source-prefix-list SSH-SOURCES
set firewall family inet filter RE-PROTECT term SSH then acceptNext will be the BGP protocol, but we have so many neighbors and we don’t want to list all of them in the prefix-list, we want a little bit of automation. The apply-path feature will automatically add all configured BGP neighbors to the prefix list:
set policy-options prefix-list BGP-PEERS apply-path "protocols bgp group <*> neighbor <*>"
set firewall family inet filter RE-PROTECT term BGP from protocol tcp
set firewall family inet filter RE-PROTECT term BGP from port bgp
set firewall family inet filter RE-PROTECT term BGP from source-prefix-list BGP-PEERS
set firewall family inet filter RE-PROTECT term BGP then acceptWe need to also permit PING, but limit the PING packets that will reach the RE. For this we need to configure a policer:
set firewall policer RE-POLICER if-exceeding bandwidth-limit 500k
set firewall policer RE-POLICER if-exceeding burst-size-limit 100k
set firewall policer RE-POLICER then discard
set firewall family inet filter RE-PROTECT term ICMP from protocol icmp
set firewall family inet filter RE-PROTECT term ICMP then policer RE-POLICER
set firewall family inet filter RE-PROTECT term ICMP then acceptThe default action at the end of the packet is to discard all other packets. Even if this action is implicit, we usually want more, so it is common to explicitly configure a default last term.
set firewall family inet filter RE-PROTECT term DEFAULT then count DEFAULT-DISCARDS
set firewall family inet filter RE-PROTECT term DEFAULT then log
set firewall family inet filter RE-PROTECT term DEFAULT then discardWe can see that this last term is missing a ‘from‘ statement, so it will match all packets (all that are not matching previous rules. Additionally, the ‘count’ statement will count how many times we are discarding packets, and the ‘log‘ statement will log every event in the firewall log; this gives us additional visibility and understanding about the traffic that is hitting the default action.
Apply the Protect RE filter
Even with all this configuration that we seen until now, there is still zero protection on the router. All if this is for nothing if we don’t apply the Firewall filter. To do this, we must apply the filter on the Loopback interface as follows:
set interfaces lo0 unit 0 family inet filter input RE-PROTECTSample Protect-RE filter
In this section, find a full sample config that will provide basic protection to your router. There is more to say about the Protect-RE filter, and there are few more advance configurations that can enhance the router protection, but this can part of a future post.
Full sample config:
set policy-options prefix-list BGP-PEERS apply-path "protocols bgp group <*> neighbor <*>"
set policy-options prefix-list SSH-SOURCES 17.0.0.0/24
set policy-options prefix-list SSH-SOURCES 17.1.0.0/24
set policy-options prefix-list SSH-SOURCES 17.2.0.0/24
set policy-options prefix-list SSH-SOURCES 18.0.0.0/24
set firewall family inet filter RE-PROTECT term BFD from protocol udp
set firewall family inet filter RE-PROTECT term BFD from port 3784
set firewall family inet filter RE-PROTECT term BFD from port 3785
set firewall family inet filter RE-PROTECT term BFD from port 6785
set firewall family inet filter RE-PROTECT term BFD then accept
set firewall family inet filter RE-PROTECT term VRRP from protocol vrrp
set firewall family inet filter RE-PROTECT term VRRP then accept
set firewall family inet filter RE-PROTECT term OSPF from protocol ospf
set firewall family inet filter RE-PROTECT term OSPF then accept
set firewall family inet filter RE-PROTECT term LDP from protocol tcp
set firewall family inet filter RE-PROTECT term LDP from protocol udp
set firewall family inet filter RE-PROTECT term LDP from port ldp
set firewall family inet filter RE-PROTECT term LDP then accept
set firewall family inet filter RE-PROTECT term BGP from protocol tcp
set firewall family inet filter RE-PROTECT term BGP from port bgp
set firewall family inet filter RE-PROTECT term BGP from source-prefix-list BGP-PEERS
set firewall family inet filter RE-PROTECT term BGP then accept
set firewall family inet filter RE-PROTECT term NTP from protocol udp
set firewall family inet filter RE-PROTECT term NTP from port ntp
set firewall family inet filter RE-PROTECT term NTP from source-address 17.0.0.0/24
set firewall family inet filter RE-PROTECT term NTP then accept
set firewall family inet filter RE-PROTECT term RADIUS from protocol udp
set firewall family inet filter RE-PROTECT term RADIUS from port radius
set firewall family inet filter RE-PROTECT term RADIUS from source-address 17.0.0.0/24
set firewall family inet filter RE-PROTECT term RADIUS then accept
set firewall family inet filter RE-PROTECT term DNS from protocol udp
set firewall family inet filter RE-PROTECT term DNS from port domain
set firewall family inet filter RE-PROTECT term DNS from source-address 17.0.0.0/24
set firewall family inet filter RE-PROTECT term DNS then accept
set firewall family inet filter RE-PROTECT term SSH from protocol tcp
set firewall family inet filter RE-PROTECT term SSH from port ssh
set firewall family inet filter RE-PROTECT term SSH from source-prefix-list SSH-SOURCES
set firewall family inet filter RE-PROTECT term SSH then accept
set firewall family inet filter RE-PROTECT term ICMP from protocol icmp
set firewall family inet filter RE-PROTECT term ICMP then policer RE-POLICER
set firewall family inet filter RE-PROTECT term ICMP then accept
set firewall family inet filter RE-PROTECT term TRACERT from protocol udp
set firewall family inet filter RE-PROTECT term TRACERT from port 33434-33534
set firewall family inet filter RE-PROTECT term TRACERT then policer RE-POLICER
set firewall family inet filter RE-PROTECT term TRACERT then accept
set firewall family inet filter RE-PROTECT term DEFAULT then count DEFAULT-DROPS
set firewall family inet filter RE-PROTECT term DEFAULT then log
set firewall family inet filter RE-PROTECT term DEFAULT then discard
set firewall policer RE-POLICER if-exceeding bandwidth-limit 500k
set firewall policer RE-POLICER if-exceeding burst-size-limit 100k
set firewall policer RE-POLICER then discard
set interfaces lo0.0 family inet filter input RE-PROTECTThis full sample is a good example of how a complete Protect-RE filter looks like. But this is just an example, and the filter must be adapted to fit your network. You must add the protocols that you are using in your network but are missing from the sample config, and at the same time you must remove the protocols that you are not using.
External Resources: