How to Design a Junos Firewall Filter

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

To design a Junos firewall filter properly, you need to know how Junos processes the filters. There are two basic considerations to bear in mind to ensure that your Junos firewall filters behave the way you intend:

  • On most devices, you can apply multiple firewall filters in an ordered chain. If you apply the limit-ssh-telnet filter to the router’s loopback interface, this interface accepts SSH and Telnet traffic but nothing else. So if you’ve configured other protocols, such as SNMP, BGP, OSPF, and IS-IS, to use the loopback address as the router address, packets from those protocols are blocked and don’t reach the router.

    However, you can write a number of smaller firewall filters and apply them in a chain, which allows you to reuse smaller pieces of firewall filters multiple times instead of writing custom firewall filters for each interface.

    When you configure a chain of firewall filters, the Junos OS acts as though you had just created one large firewall filter, composed of the terms of each filter in order. (This means if you put this limit-ssh-telnet filter first in a chain, all other traffic is rejected regardless of the remaining firewall filters, because the second term of the chain rejects all traffic.)

  • Junos OS evaluates the terms in a firewall filter (or chain of firewall filters) in order, starting with the first one. The router processes each packet through the terms in a firewall filter in order until it finds a match.

  • When the router finds a match, it takes the actions indicated by that term’s then clause, which means that you must ensure traffic will be accepted or rejected at the right place, but not sooner.

    So, for example, if you want to allow all Telnet traffic, but deny all other TCP traffic, you need to put the term allowing Telnet traffic before the term denying TCP traffic. If you put them in the reverse order, the router will deny the Telnet traffic (because Telnet uses TCP) and never reach the term to allow Telnet traffic.

    You do not, however, need to worry about optimizing your firewall filters, because the Junos OS does that for you. Having the software take care of your filtering makes your job easy. You just worry about making sure that the filter logic is in the correct order, and the router takes care of optimizing it for you.