How to Protect the Junos Routing Engine

Although all interfaces are important, the loopback (lo0) interface is perhaps the most important because it is the link to the Routing Engine, which runs and monitors all the routing protocols. This article provides the skeleton of a firewall filter that protects the Routing Engine. You can use this example as a blueprint to design the appropriate filter for your router. The filter is applied to the router’s lo0 interface.

This filter is for a router configured for a common IPv4 setup:

  • IPv4

  • BGP and IS-IS routing protocols

  • RADIUS, SSH, and Telnet access

  • SNMP NMS access

  • NTP

Because firewall filters are evaluated in order, place the most time-critical items — the routing protocols — first. Accept traffic from your known BGP peers and from the known IS-IS neighbors with the AS using the following set commands:

[edit firewall filter routing-engine]
set term bgp-filter from source-address peer-address1
set term bgp-filter from source-address peer-address2
set term bgp-filter from protocol tcp
set term bgp-filter from port bgp
set term bgp-filter then accept

Then accept DNS traffic (for hostname resolution):

[edit firewall-filter routing-engine]
set term dns-filter from source-address network-address
set term dns-filter from protocol [ tcp udp ]
set term dns-filter from port domain
set term dns-filter then accept

Next, accept RADIUS, SSH, Telnet, and SNMP NMS traffic:

[edit firewall-filter routing-engine]
set term radius-filter from source-address radius-server-address1
set term radius-filter from source-address radius-server-address2
set term radius-filter from source-port radius
set term radius-filter then accept
set term ssh-telnet-filter from source-address network-address1
set term ssh-telnet-filter from source-address network-address2
set term ssh-telnet-filter from protocol tcp
set term ssh-telnet-filter from destination-port [ ssh telnet ]
set term ssh-telnet-filter then accept
set term snmp-filter from source-address network-address1
set term snmp-filter from source-address network-address2
set term snmp-filter from protocol udp
set term snmp-filter from destination-port snmp
set term snmp-filter then accept

The last traffic to accept is from the NTP time servers and the ICMP protocol (which sends IPv4 error messages):

[edit firewall-filter routing-engine]
set term ntp-filter from source-address server-address1
set term ntp-filter from source-address server-address2
set term ntp-filter from source-address 127.0.0.1
set term ntp-filter from protocol udp
set term ntp-filter from port ntp
set term ntp-filter then accept
set term icmp-filter from protocol icmp
set term icmp-filter from icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ]
set term icmp-filter then accept

The final part of the filter explicitly discards all other traffic:

[edit firewall-filter routing-engine]
set term discard-the-rest then count counter-filename
set term discard-the-rest then log
set term discard-the-rest then syslog
set term discard-the-rest then reject

You need to create the file in which to place the syslog messages:

[edit system]
fred@router# set syslog file filename firewall any

And lastly, apply the firewall filter to the router’s loopback interface:

[edit interfaces]
fred@router# set lo0 unit 0 family inet filter input routing-engine
blog comments powered by Disqus
Advertisement

Inside Dummies.com

Dummies.com Sweepstakes

Win $500. Easy.