Terug naar overzicht

To protect the control plane of your EX series platform from rougue management attempts or overloads, firewall filters can be used. Based on Day One: Securing Routing Engine, this blog shows an example of such a firewall filter.

As the EX series firewall filters options are limited, compared to the MX series, the from ttlthen policerthen log and then count (supported on EX4200) actions are stripped, as explained in techpubs Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches and Support for Match Conditions and Actions for Loopback Firewall Filters on Switches.

This example filter shows the possibilities of the firewall hierarchy on EX platforms:

set interfaces lo0 unit 0 family inet filter input ex-re-filter

set policy-options prefix-list router-self apply-path "interfaces <*> unit <*> family inet address <*>"

set policy-options prefix-list accept-telnet [...]
set policy-options prefix-list accept-telnet A.B.C.D/24
set policy-options prefix-list accept-telnet E.F.G.H/32
edit policy-options prefix-list accept-telnet
annotate A.B.C.D/24 management-network
annotate E.F.G.H/32 some-host
top

set policy-options prefix-list accept-ssh [...]
set policy-options prefix-list accept-ssh A.B.C.D/24
edit policy-options prefix-list accept-ssh
annotate A.B.C.D/24 management-network
top

set policy-options prefix-list accept-ftp [...]
set policy-options prefix-list accept-ftp A.B.C.D/24
edit policy-options prefix-list accept-ftp
annotate A.B.C.D/24 management-network
top

set policy-options prefix-list accept-snmp [...]
set policy-options prefix-list accept-snmp A.B.C.D/24
set policy-options prefix-list accept-snmp I.J.K.L/32
edit policy-options prefix-list accept-snmp
annotate A.B.C.D/24 management-network
annotate I.J.K.L/32 some-other-host
top

set policy-options prefix-list accept-radius apply-path "system radius-server <*.*>"

set policy-options prefix-list accept-dns apply-path "system name-server <*.*>"

set policy-options prefix-list accept-ntp-peer apply-path "system ntp peer <*.*>"
set policy-options prefix-list accept-ntp-server apply-path "system ntp server <*.*>"

set policy-options prefix-list vrrp-routers 224.0.0.18/32

set policy-options prefix-list bgp-neighbor-v4 apply-path "protocols bgp group <*> neighbor <*.*>"

set policy-options prefix-list ospf-routers 224.0.0.5/32
set policy-options prefix-list ospf-routers 224.0.0.6/32

set firewall family inet filter ex-re-filter term accept-icmp-no-icmp-fragments from is-fragment
set firewall family inet filter ex-re-filter term accept-icmp-no-icmp-fragments from protocol icmp
set firewall family inet filter ex-re-filter term accept-icmp-no-icmp-fragments then discard

set firewall family inet filter ex-re-filter term accept-icmp from protocol icmp
set firewall family inet filter ex-re-filter term accept-icmp from icmp-type echo-reply
set firewall family inet filter ex-re-filter term accept-icmp from icmp-type echo-request
set firewall family inet filter ex-re-filter term accept-icmp from icmp-type time-exceeded
set firewall family inet filter ex-re-filter term accept-icmp from icmp-type unreachable
set firewall family inet filter ex-re-filter term accept-icmp from icmp-type source-quench
set firewall family inet filter ex-re-filter term accept-icmp from icmp-type router-advertisement
set firewall family inet filter ex-re-filter term accept-icmp from icmp-type parameter-problem
set firewall family inet filter ex-re-filter term accept-icmp then accept

set firewall family inet filter ex-re-filter term accept-telnet from source-prefix-list accept-telnet
set firewall family inet filter ex-re-filter term accept-telnet from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-telnet from protocol tcp
set firewall family inet filter ex-re-filter term accept-telnet from destination-port telnet
set firewall family inet filter ex-re-filter term accept-telnet then accept

set firewall family inet filter ex-re-filter term accept-ssh from source-prefix-list accept-ssh
set firewall family inet filter ex-re-filter term accept-ssh from source-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-ssh from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-ssh from protocol tcp
set firewall family inet filter ex-re-filter term accept-ssh from destination-port ssh
set firewall family inet filter ex-re-filter term accept-ssh then accept

set firewall family inet filter ex-re-filter term accept-ftp from source-prefix-list accept-ftp
set firewall family inet filter ex-re-filter term accept-ftp from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-ftp from protocol tcp
set firewall family inet filter ex-re-filter term accept-ftp from destination-port ftp
set firewall family inet filter ex-re-filter term accept-ftp from destination-port ftp-data
set firewall family inet filter ex-re-filter term accept-ftp then accept

set firewall family inet filter ex-re-filter term accept-snmp from source-prefix-list accept-snmp
set firewall family inet filter ex-re-filter term accept-snmp from protocol udp
set firewall family inet filter ex-re-filter term accept-snmp from destination-port snmp
set firewall family inet filter ex-re-filter term accept-snmp then accept

set firewall family inet filter ex-re-filter term accept-mgmt-out from protocol tcp
set firewall family inet filter ex-re-filter term accept-mgmt-out from source-port telnet
set firewall family inet filter ex-re-filter term accept-mgmt-out from source-port ssh
set firewall family inet filter ex-re-filter term accept-mgmt-out from source-port ftp
set firewall family inet filter ex-re-filter term accept-mgmt-out then accept

set firewall family inet filter ex-re-filter term accept-radius from source-prefix-list accept-radius
set firewall family inet filter ex-re-filter term accept-radius from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-radius from protocol udp
set firewall family inet filter ex-re-filter term accept-radius from protocol tcp
set firewall family inet filter ex-re-filter term accept-radius from source-port radacct
set firewall family inet filter ex-re-filter term accept-radius from source-port radius
set firewall family inet filter ex-re-filter term accept-radius then accept

set firewall family inet filter ex-re-filter term accept-dns from source-prefix-list accept-dns
set firewall family inet filter ex-re-filter term accept-dns from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-dns from protocol udp
set firewall family inet filter ex-re-filter term accept-dns from protocol tcp
set firewall family inet filter ex-re-filter term accept-dns from source-port domain
set firewall family inet filter ex-re-filter term accept-dns then accept

set firewall family inet filter ex-re-filter term accept-ntp from source-prefix-list accept-ntp-peer
set firewall family inet filter ex-re-filter term accept-ntp from source-prefix-list accept-ntp-server
set firewall family inet filter ex-re-filter term accept-ntp from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-ntp from protocol udp
set firewall family inet filter ex-re-filter term accept-ntp from protocol tcp
set firewall family inet filter ex-re-filter term accept-ntp from source-port ntp
set firewall family inet filter ex-re-filter term accept-ntp then accept

set firewall family inet filter ex-re-filter term accept-traceroute-udp from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-traceroute-udp from protocol udp
set firewall family inet filter ex-re-filter term accept-traceroute-udp from destination-port 33435-33450
set firewall family inet filter ex-re-filter term accept-traceroute-udp then accept
set firewall family inet filter ex-re-filter term accept-traceroute-icmp from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-traceroute-icmp from protocol icmp
set firewall family inet filter ex-re-filter term accept-traceroute-icmp from icmp-type echo-request
set firewall family inet filter ex-re-filter term accept-traceroute-icmp from icmp-type timestamp
set firewall family inet filter ex-re-filter term accept-traceroute-icmp from icmp-type time-exceeded
set firewall family inet filter ex-re-filter term accept-traceroute-icmp then accept

set firewall family inet filter ex-re-filter term accept-vrrp from source-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-vrrp from destination-prefix-list vrrp-routers
set firewall family inet filter ex-re-filter term accept-vrrp from protocol vrrp
set firewall family inet filter ex-re-filter term accept-vrrp from protocol ah
set firewall family inet filter ex-re-filter term accept-vrrp then accept

set firewall family inet filter ex-re-filter term accept-bgp-in-1 from source-prefix-list bgp-neighbor-v4
set firewall family inet filter ex-re-filter term accept-bgp-in-1 from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-bgp-in-1 from protocol tcp
set firewall family inet filter ex-re-filter term accept-bgp-in-1 from destination-port bgp
set firewall family inet filter ex-re-filter term accept-bgp-in-1 then accept
set firewall family inet filter ex-re-filter term accept-bgp-in-2 from source-prefix-list bgp-neighbor-v4
set firewall family inet filter ex-re-filter term accept-bgp-in-2 from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-bgp-in-2 from protocol tcp
set firewall family inet filter ex-re-filter term accept-bgp-in-2 from source-port bgp
set firewall family inet filter ex-re-filter term accept-bgp-in-2 then accept

set firewall family inet filter ex-re-filter term accept-bgp-out-1 from source-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-bgp-out-1 from destination-prefix-list bgp-neighbor-v4
set firewall family inet filter ex-re-filter term accept-bgp-out-1 from protocol tcp
set firewall family inet filter ex-re-filter term accept-bgp-out-1 from source-port bgp
set firewall family inet filter ex-re-filter term accept-bgp-out-1 then accept
set firewall family inet filter ex-re-filter term accept-bgp-out-2 from source-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-bgp-out-2 from destination-prefix-list bgp-neighbor-v4
set firewall family inet filter ex-re-filter term accept-bgp-out-2 from protocol tcp
set firewall family inet filter ex-re-filter term accept-bgp-out-2 from destination-port bgp
set firewall family inet filter ex-re-filter term accept-bgp-out-2 then accept

set firewall family inet filter ex-re-filter term accept-ospf from source-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-ospf from source-prefix-list ospf-routers
set firewall family inet filter ex-re-filter term accept-ospf from destination-prefix-list ospf-routers
set firewall family inet filter ex-re-filter term accept-ospf from destination-prefix-list router-self
set firewall family inet filter ex-re-filter term accept-ospf from protocol ospf
set firewall family inet filter ex-re-filter term accept-ospf then accept
set firewall family inet filter ex-re-filter term accept-ospf-igmp from destination-prefix-list ospf-routers
set firewall family inet filter ex-re-filter term accept-ospf-igmp from protocol igmp
set firewall family inet filter ex-re-filter term accept-ospf-igmp then accept

set firewall family inet filter ex-re-filter term discard-all then count discard-all
set firewall family inet filter ex-re-filter term discard-all then discard

Plaats reactie

1000 Resterende tekens