Here's sample firewall configuration in protecting the box and its services.
ICMP:
ICMP message types are essential for network administration and troubleshooting. There are quite a number of ICMP parameters, you can refer to IANA ICMP Parameters for the list or if you want to learn more details about ICMP can refer to RFC792.
Here's the 4 types I consider useful for troubleshooting and need to be allowed.
Type 0 — Echo Reply --> response from target to host
Type 8 — Echo Request--> host to target
Type 11 — Time Exceeded --> returned to host when doing traceroute
Type 3 — Destination Unreachable --> for MTU path discovery
Pre-config (create a policer)
set firewall policer limit-128k if-exceeding bandwidth-limit 128k
set firewall policer limit-128k if-exceeding burst-size-limit 15k
set firewall policer limit-128k then discard
set firewall family inet filter FIREWALL-RE term ICMP_PING from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-request
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-reply
set firewall family inet filter FIREWALL-RE term ICMP_PING then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_PING then count ICMP
set firewall family inet filter FIREWALL-RE term ICMP_PING then accept
set firewall family inet filter FIREWALL-RE term ICMP_TTL from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type time-exceeded
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type unreachable
set firewall family inet filter FIREWALL-RE term ICMP_TTL then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_TTL then accept
SSH:
It is recommended to use SSH for remote access for better security. Telnet is strictly discourage because of unencrypted communication for potential network sniffing.
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from source-prefix-list SSH-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from protocol tcp
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from port ssh
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then count REMOTE_ACCESS
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then accept
set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.101/32
set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.102/32
where: 192.168.10.101 & 102 are the authorized IPs that are allowed to SSH into the device.
AAA(Tacacs):
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-prefix-list TACACS-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-port tacacs
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then count AAA
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then accept
set policy-options prefix-list TACACS-PREFIX-LIST 192.168.10.200/32
where: 192.168.10.200 is Tacacs Server
See more details here for Tacacs (Authentication and Accounting) Configuration in Juniper
SNMP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from source-prefix-list SNMP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from destination-port snmp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then count SNMP
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then accept
set policy-options prefix-list SNMP-PREFIX-LIST 192.168.20.200/32
where: 192.168.20.200 is SNMP Polling Server
Related config: SNMPv2c and SNMPv3 Pollling and Traps Configuration in Juniper
NTP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from source-prefix-list NTP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from port ntp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then policer limit-128k
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then count NTP
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then accept
set policy-options prefix-list NTP-PREFIX-LIST 192.168.30.200/32
where: 192.168.30.200 is NTP Server
Related config: NTP Configuration via Management Routing Instance in Juniper
IP Protocols
OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW from protocol ospf
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then count OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then accept
LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from port 646
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then count LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept
RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW from protocol rsvp
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then count RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then accept
PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW from protocol pim
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then count PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then accept
IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW from protocol igmp
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then count IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then accept
MSDP
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from port msdp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW then count MSDP
BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from source-prefix-list BGP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from port bgp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then count BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then accept
set policy-options prefix-list BGP-PREFIX-LIST 192.168.40.0/24
Others
BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from source-port 49152-65535
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from destination-port 3784
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then count BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then accept
Traceroute
set firewall family inet filter FIREWALL-RE term TRACEROUTE from protocol udp
set firewall family inet filter FIREWALL-RE term TRACEROUTE from destination-port 33434-33678
set firewall family inet filter FIREWALL-RE term TRACEROUTE then policer limit-128k
set firewall family inet filter FIREWALL-RE term TRACEROUTE then count TRACEROUTE
set firewall family inet filter FIREWALL-RE term TRACEROUTE then accept
FINALLY.... need to put this "discard" statement at the end.
set firewall family inet filter FIREWALL-RE term REJECT_ALL then count REJECT_ALL
set firewall family inet filter FIREWALL-RE term REJECT_ALL then discard
Apply:
set interfaces lo0 unit 0 family inet filter input FIREWALL-RE
How does it looks like?
Policer:
lab@vMX-1> show configuration firewall policer limit-128k
if-exceeding {
bandwidth-limit 128k;
burst-size-limit 15k;
}
then discard;
Firewall:
lab@vMX-1> show configuration firewall
family inet {
filter FIREWALL-RE {
term ICMP_PING {
from {
protocol icmp;
icmp-type [ echo-request echo-reply ];
}
then {
policer limit-128k;
count ICMP;
accept;
}
}
term ICMP_TTL {
from {
protocol icmp;
icmp-type [ time-exceeded unreachable ];
}
then {
policer limit-128k;
accept;
}
}
term REMOTE_ACCESS {
from {
source-prefix-list {
SSH-PREFIX-LIST;
}
protocol tcp;
port ssh;
}
then {
count REMOTE_ACCESS;
accept;
}
}
term AAA_ALLOW {
from {
source-prefix-list {
TACACS-PREFIX-LIST;
}
protocol tcp;
}
}
term SNMP_ALLOW {
from {
source-prefix-list {
SNMP-PREFIX-LIST;
}
protocol udp;
destination-port snmp;
}
then {
count SNMP;
accept;
}
}
term NTP_ALLOW {
from {
source-prefix-list {
NTP-PREFIX-LIST;
}
protocol udp;
port ntp;
}
then {
policer limit-128k;
count NTP;
accept;
}
}
term OSPF_ALLOW {
from {
Prefix-sets
lab@vMX-1> show configuration policy-options
prefix-list SSH-PREFIX-LIST {
192.168.10.101/32;
192.168.10.102/32;
}
prefix-list TACACS-PREFIX-LIST {
192.168.10.200/32;
}
prefix-list SNMP-PREFIX-LIST {
192.168.20.200/32;
}
prefix-list NTP-PREFIX-LIST {
192.168.30.200/32;
}
prefix-list BGP-PREFIX-LIST {
192.168.40.0/24;
}
protocol ospf;
}
then {
count OSPF;
accept;
}
}
term LDP_ALLOW {
from {
protocol [ tcp udp ];
port 646;
}
then {
count LDP;
accept;
}
}
term RSVP_ALLOW {
from {
protocol rsvp;
}
then {
count RSVP;
accept;
}
}
term PIM_ALLOW {
from {
protocol pim;
}
then {
count PIM;
accept;
}
}
term IGMP_ALLOW {
from {
protocol igmp;
}
then {
count IGMP;
accept;
}
}
term MSDP_ALLOW {
from {
protocol [ tcp udp ];
port msdp;
}
then count MSDP;
}
term BGP_ALLOW {
from {
source-prefix-list {
BGP-PREFIX-LIST;
}
protocol tcp;
port bgp;
}
then {
count BGP;
accept;
}
}
term BFD_ALLOW {
from {
protocol udp;
source-port 49152-65535;
destination-port 3784;
}
then {
count BFD;
accept;
}
}
term TRACEROUTE {
from {
protocol udp;
destination-port 33434-33678;
}
then {
policer limit-128k;
count TRACEROUTE;
accept;
}
}
term REJECT_ALL {
then {
count REJECT_ALL;
discard;
}
}
}
}
policer limit-128k {
if-exceeding {
bandwidth-limit 128k;
burst-size-limit 15k;
}
then discard;
}
Apply in interface loopback
lab@vMX-1> show configuration interfaces lo0
unit 0 {
family inet {
filter {
input FIREWALL-RE;
}
}
}
No comments:
Post a Comment