JunOS Config Snippets – Firewalls and ACL’s

Hey, here are some more JunOS related config snippets.  Again, these are taking from a branch office SRX.  The stateless ACL syntax is the same across most JunOS devices.  The stateful firewall and screens are fairly specific to the SRX and J-Series though.

Stateless Firewall / ACL

Stateless ACL’s are applied as filters to interfaces.

interfaces {
    vlan {
        unit 200 {
            family inet {
                filter {
                    input BLOCK-SSH;
                }
                address 192.168.35.1/24;
            }
        }
    }
}
firewall {
    filter BLOCK-SSH {
        term 0 {
            from {
                destination-port ssh;
            }
            then {
                reject tcp-reset;
            }
        }
        term 1 {
            then accept;
        }
    }
}

Stateful Firewall

Some Juniper devices support stateful firewall inspection (SRX and J-series). On a stateful device, interfaces are placed into zones. Stateful firewall policies are applied to traffic that is going between particular zones. They also can use address book entries to make policies more readable.

security {
    address-book {
        global {
            address SERVER1 10.2.1.20/32;
        }
    }
    policies {
        from-zone INTERNET to-zone INTERNAL {
			policy SERVER1-RDP {
                match {
                    source-address any;
                    destination-address SERVER;
                    application [ ms-rdp junos-icmp-all junos-http ];
                }
                then {
                    permit;
                }
            }
        }
	}
    zones {
        security-zone INTERNAL {
            interfaces {
                vlan.50;
            }
        }
        security-zone INTERNET {
            interfaces {
                fe-0/0/3.0;
            }
        }
    }
}

Screen

Screens are stateless filters that can be used on stateful Juniper devices. They aren’t used to allow / block traffic based on particular addresses / ports, but are designed to detect malformed or potentially malicious L3 / L4 attacks. They are attached to a particular zone, and apply to traffic that originates in that zone. These are primarily useful to protect the firewall itself from denial of service attacks that cause it to consume resources.

security {
    screen {
        ids-option INTERNET {
            icmp {
                ip-sweep;
                large;
                flood threshold 100;
                ping-death;
            }
            tcp {
                port-scan threshold 500000;
                tcp-sweep threshold 200000;
            }
            limit-session {
                source-ip-based 200;
            }
        }
    }
    zones {
        security-zone INTERNET {
            screen INTERNET;
		}
	}
}

Comments are closed.