Junos firewall configuration

I tried to make a firewall configuration for Junos. I have a Juniper router, which separates internal network( 192.168.1.0/28 ) and external network( 192.168.2.0/29 ). Rules are fallowing:

1. allow traffic to 192.168.1.7 ports 80 and 443 from all hosts
2. allow ssh traffic to all the hosts in 192.168.1.0/28 from 192.168.2.1 and 192.168.2.2
3. allow from 192.168.2.1 to port 8319 on all the hosts in 192.168.1.0/28
4. allow traffic to all the hosts on port 443 and 5900 in 192.168.1.0/28 from 192.168.2.3 and 192.168.2.4
5. allow established TCP connections
6. allow Google DNS servers
7. discard everything else!
8. don't allow outgoing connection from 192.168.1.7 to 192.168.2.5 on all ports.

Should fallowing firewall configuration work:

firewall {
    filter incoming_traffic {
        term WWW {
            from {
                destination-address {
                    192.168.1.7/32;
                }
                protocol tcp;
                destination-port [ 80 443 ];
            }
            then accept;
        }   
        term SSH {
            from {
                source-address {
                    192.168.2.1/32;
                    192.168.2.2/32;
                }
                destination-address {
                    192.168.1.0/28;
                }     
                protocol tcp;
                destination-port 22;
            }
            then accept;
        }
        term 8319 {
            from {
                source-address {
                    192.168.2.1/32;
                }
                destination-address {
                    192.168.1.0/28;
                }
                protocol tcp;
                destination-port 8319;
            }
            then accept;
        }            
        term 443_5900 {
            from {
                source-address {
                    192.168.2.3/32;
                    192.168.2.4/32;
                }
                destination-address {
                    192.168.1.0/28;
                }     
                protocol tcp;
                destination-port [ 443 5900 ];
            }
            then accept;
        } 
        term established {
            from {
                tcp-established;
            }
            then {
                count established;
                accept;
            }
        }
        term DNS {
            from {
                source-address {
                    8.8.8.8/32;
                    8.8.4.4/32;
                }
                protocol udp;
                source-port 53;
            }
            then {
                count DNS;
                accept;
            }
        }
        term other {
            then discard;
        }
    }       
    filter outgoing_traffic {
        term 192.168.2.5 {
            from {
                source-address {
                    192.168.1.7;
                }
            destination-address {
                 192.168.2.5/32
            }
            then {
                discard
            }
        }
    }
}

Is this firewall configuration correct? Will it work(I still don't have a router to try this)?

Find more posts tagged with

Comments

Robert_74

Looks good to me, the only thing the term "established" also requires from protocol tcp match

m4rtin

Robert_74 wrote: »

Looks good to me, the only thing the term "established" also requires from protocol tcp match

could you illustrate this with an example?

Robert_74

Yes, sure

[edit firewall filter example]
man-core-1a#show
term established {
from {
protocol tcp;
tcp-established;
}
then {
count established;
accept;
}
}

m4rtin

Robert_74 wrote: »

Yes, sure

[edit firewall filter example]
man-core-1a#show
term established {
from {
protocol tcp;
tcp-established;
}
then {
count established;
accept;
}
}

Thanks! What does this count in front of established does? I mean what count established or count discard means?

One more additional question- am I correct, that order of terms matter in Junos firewall configuration?

Robert_74

It just the name of the counter. So when you do "show firewall" you can see all your counters

m4rtin

Robert_74 wrote: »

It just the name of the counter. So when you do "show firewall" you can see all your counters

I see..thanks! However, when speaking more general, as I understand, terms are evaluated in order(read this from JUNOS cookbook). If yes, then..

term other {
    then discard;
}

..term has to be the last one in a filter?

Robert_74

Sort of, in a prudent type

m4rtin

Robert_74 wrote: »

Sort of, in a prudent type

Then fallowing configuration doesn't work:

firewall {
    filter incoming_traffic {
        term WWW {
            from {
                destination-address {
                    192.168.1.7/32 except;
                }
                protocol tcp;
                destination-port [ 80 443 ];
            }
            then discard;
        }   
        term SSH {
            from {
                source-address {
                    0.0.0.0/0;
                    192.168.2.1/32 except;
                    192.168.2.2/32 except;
                }
                destination-address {
                    192.168.1.0/28;
                }     
                protocol tcp;
                destination-port 22;
            }
            then discard;
        }
        term 8319 {
            from {
                source-address {
                    0.0.0.0/0;
                    192.168.2.1/32 except;
                }
                destination-address {
                    192.168.1.0/28;
                }
                protocol tcp;
                destination-port 8319;
            }
            then discard;
        }            
        term 443_5900 {
            from {
                source-address {
                    0.0.0.0/0;
                    192.168.2.3/32 except;
                    192.168.2.4/32 except;
                }
                destination-address {
                    192.168.1.0/28;
                }     
                protocol tcp;
                destination-port [ 443 5900 ];
            }
            then discard;
        } 
        term established {
            from {
                tcp-established;
            }
            then {
                count established;
                accept;
            }
        }
        term DNS {
            from {
                source-address {
                    8.8.8.8/32 except;
                    8.8.4.4/32 except;
                }
                protocol udp;
                source-port 53;
            }
            then {
                count DNS;
                discard;
            }
        }
        term other {
            then discard;
        }
    }       
    filter outgoing_traffic {
        term 192.168.2.5 {
            from {
                source-address {
                    192.168.1.7 except;
                }
            destination-address {
                 192.168.2.5/32
            }
            then {
                accept
            }
        }
    }
}

As you can see, I tried to do the same firewall rules with reversed logic:) However, is the syntax correct? Is it going to work just like the previous firewall configuration?

If yes, then how this terms are evaluated in order applies here?I mean package will not make to the next term if it's already discarded in the first one..

Robert_74

Sorry m4rtin, I am a bit busy right now to go into the details. The logic is quite simple: if all yoor terms allow, then the last one denies. If all your terms deny, then the last one allows

m4rtin

Robert_74 wrote: »

Sorry m4rtin, I am a bit busy right now to go into the details. The logic is quite simple: if all yoor terms allow, then the last one denies. If all your terms deny, then the last one allows

It's ok

However, if you have a moment later, then maybe you are able to explain how package is able to move trough those two terms:

term WWW {
    from {
        destination-address {
            192.168.1.7/32 except;
        }
        protocol tcp;
        destination-port [ 80 443 ];
    }
    then discard;
}   
term SSH {
    from {
        source-address {
            0.0.0.0/0;
            192.168.2.1/32 except;
            192.168.2.2/32 except;
        }
        destination-address {
            192.168.1.0/28;
        }     
        protocol tcp;
        destination-port 22;
    }
}

I mean term WWW should drop all the packages, which are not addressed to IP 192.168.1.7 TCP port 80 and 443. If yes, then term SSH has no idea because destiny of a package is determined in the WWW term

Robert_74

Before finding this moment

where did you apply your filter ?

Robert_74

Sorry m4tin, I am getting confused here, especially by this "which are not addressed to IP 192.168.1.7 TCP port 80 and 443".
Your term actually DISCARD all the traffic destined TO 192.168.1.7 TCP port 80 and 443, allowing everything else, which is want it is suppose to do
Your first post used accept action, now it is discard. What is that exactly you trting to do ?

m4rtin

Robert_74, sorry for bit bad explanation. What I want to know, is the general understanding, how packages move trough Juniper firewall terms. As I understand, they to this term-by-term. Everything is understandable when we have similar then accept terms:

term WWW {
    from {
        destination-address {
            192.168.1.7/32;
        }
        protocol tcp;
        destination-port [ 80 443 ];
    }
    then accept;
}
term SSH {
    from {
        source-address {
            192.168.2.1/32;
            192.168.2.2/32;
        }
        destination-address {
            192.168.1.0/28;
        }     
        protocol tcp;
        destination-port 22;
    }
    then accept;
}

Package is first processed in WWW term and is accepted if it is addressed to 192.168.1.7/32 TCP port 80 or 443. If package is not accepted, it moves forward to SSH term etc.

Now as much as I have read about Juniper firewalls, one can use except values as well. In other words, this:

term WWW {
    from {
        destination-address {
            192.168.1.7/32;
        }
        protocol tcp;
        destination-port [ 80 443 ];
    }
    then accept;
 }
term SSH {
     from {
         source-address {
             192.168.2.1/32;
             192.168.2.2/32;
         }
         destination-address {
             192.168.1.0/28;
         }     
         protocol tcp;
         destination-port 22;
     }
     then accept;
 }

and this:

term WWW {
    from {
        destination-address {
            192.168.1.7/32 except;
        }
        protocol tcp;
        destination-port [ 80 443 ];
    }
    then discard;
 }
term SSH {
    from {
        source-address {
            192.168.2.1/32;
            192.168.2.2/32;
        }
        destination-address {
            192.168.1.0/28;
        }     
        protocol tcp;
        destination-port 22;
    }
    then discard;
}

should be exactly the same. Am I correct?

Now if we talk about this last example, in the term WWW, everything is discarded, except those packages, which are addressed to 192.168.1.7 TCP port 80 or 443. Now the problem/question is, that what does package do when it's discarded already in the first term? Or every package has to be processed in every term one after another until in the final term the package is really discarded/accepted?

zoidberg

when you hit a terminating action (accept, reject, discard) that's where the filtering stops for that packet. the packet will not make it's way to the next term and be evaluated there. you cannot discard a packet in one filter, and then rescue it in the next with an accept. this is why the ordering of your terms and filters is critically important.

zoidberg

term WWW {
    from {
        destination-address {
            192.168.1.7/32 except;
        }
        protocol tcp;
        destination-port [ 80 443 ];
    }
    then discard;
 }
Now if we talk about this last example, in the term WWW, everything is discarded, except those packages, which are addressed to 192.168.1.7 TCP port 80 or 443. Now the problem/question is, that what does package do when it's discarded already in the first term? Or every package has to be processed in every term one after another until in the final term the package is really discarded/accepted?

I wouldn't say everything being other than dst 192.168.1.7 tcp [ 80 443 ] is being discarded. The WWW term will only discard tcp packets with a destination-port [ 80 443 ]. If a packet was destined to 10.11.12.13 tcp port 81, it would not be discarded.

Keep in mind the except is being used only on the address and not on the entire from clause.

Really, if you only want to allow dst 192.168.1.7 tcp [ 80 443 ], instead of doing this backwards except stuff, why don't you just match and accept that traffic?

m4rtin

zoidberg wrote: »

when you hit a terminating action (accept, reject, discard) that's where the filtering stops for that packet. the packet will not make it's way to the next term and be evaluated there. you cannot discard a packet in one filter, and then rescue it in the next with an accept. this is why the ordering of your terms and filters is critically important.

Ok, thanks! So what happens if term other is moved towards the beginning of the incoming_traffic filter like this:

firewall {
    filter incoming_traffic {
        term WWW {
            from {
                destination-address {
                    192.168.1.7/32;
                }
                protocol tcp;
                destination-port [ 80 443 ];
            }
            then accept;
        }  
        term SSH {
            from {
                source-address {
                    192.168.2.1/32;
                    192.168.2.2/32;
                }
                destination-address {
                    192.168.1.0/28;
                }    
                protocol tcp;
                destination-port 22;
            }
            then accept;
        }
        term 8319 {
            from {
                source-address {
                    192.168.2.1/32;
                }
                destination-address {
                    192.168.1.0/28;
                }
                protocol tcp;
                destination-port 8319;
            }
            then accept;
        }
        term other {
            then discard;
        }            
        term 443_5900 {
            from {
                source-address {
                    192.168.2.3/32;
                    192.168.2.4/32;
                }
                destination-address {
                    192.168.1.0/28;
                }    
                protocol tcp;
                destination-port [ 443 5900 ];
            }
            then accept;
        }
        term established {
            from {
                protocol tcp;
                tcp-established;
            }
            then {
                count established;
                accept;
            }
        }
        term DNS {
            from {
                source-address {
                    8.8.8.8/32;
                    8.8.4.4/32;
                }
                protocol udp;
                source-port 53;
            }
            then {
                count DNS;
                accept;
            }
        }
    }      
    filter outgoing_traffic {
        term 192.168.2.5 {
            from {
                source-address {
                    192.168.1.7;
                }
            destination-address {
                 192.168.2.5/32
            }
            then {
                discard
            }
        }
        term other {
            then accept;
        }
    }
}

Am I correct, that all the packages are processed(dropped) in other term and will not move to terms 443_5900, established, DNS etc?

And if I would like to associate filters incoming_traffic and outgoing_traffic with interface ge-0/0/0, I should do:

set ge-0/0/0 unit 0 filter input incoming_traffic
set ge-0/0/0 unit 0 filter output outgoing_traffic

and finally check if there are Filters: Input: incoming_traffic and Filters: Output: outgoing_traffic are present under show interfaces ge-0/0/0 detail?

zoidberg

m4rtin wrote: »
Ok, thanks! So what happens if term other is moved towards the beginning of the incoming_traffic filter like this:

Am I correct, that all the packages are processed(dropped) in other term and will not move to terms 443_5900, established, DNS etc?
        term other {
            then discard;
        }            

Yes, you are correct. Term other will drop ALL packets that have made it thru to this term and no packets will be evaluated by the terms below it; 443_5900, established, dns, etc.

And if I would like to associate filters incoming_traffic and outgoing_traffic with interface ge-0/0/0, I should do:
set ge-0/0/0 unit 0 filter input incoming_traffic
set ge-0/0/0 unit 0 filter output outgoing_traffic

Looks good. Off the top of my head, I'm drawing blanks on the difference between set int.unit filter vs set int.unit family inet filter. Perhaps someone can fill in the blank or I'll look into it tomorrow.

and finally check if there are Filters: Input: incoming_traffic and Filters: Output: outgoing_traffic are present under show interfaces ge-0/0/0 detail?

I assume so. I don't have a router output handy and I don't feel like vpn'ing in to check right now (beer trumps workish stuff

). I think a show int det or ext should list the input and output filters.

m4rtin

Thanks zoidberg! I'll add here few facts from JUNOS cookbook:

"What happens if you don't configure a firewall filter? By default, interfaces accept all incoming traffic and transmit all outgoing traffic."
"As with routing policy, the JUNOS software evaluates a firewall filter term by term, and, when a term matches, the action is taken and evaluation ends. If packet matches none of the terms, the default action is to discard the package."
"You can apply only one incoming and outgoing firewall filter to an interface."
"As with routing policies, the order of the terms in a firewall filter is significant. Packets are tested against each term in the order."

However, what if I would like to apply a policer in order to give different speeds for local and Internet connection? For example like this:

firewall {
    filter incoming_traffic {
        term WWW {
            from {
                destination-address {
                    192.168.1.7/32;
                }
                protocol tcp;
                destination-port [ 80 443 ];
            }
            then accept;
        }  
        term SSH {
            from {
                source-address {
                    192.168.2.1/32;
                    192.168.2.2/32;
                }
                destination-address {
                    192.168.1.0/28;
                }    
                protocol tcp;
                destination-port 22;
            }
            then accept;
        }
        term 8319 {
            from {
                source-address {
                    192.168.2.1/32;
                }
                destination-address {
                    192.168.1.0/28;
                }
                protocol tcp;
                destination-port 8319;
            }
            then accept;
        }          
        term 443_5900 {
            from {
                source-address {
                    192.168.2.3/32;
                    192.168.2.4/32;
                }
                destination-address {
                    192.168.1.0/28;
                }    
                protocol tcp;
                destination-port [ 443 5900 ];
            }
            then accept;
        }
        term established {
            from {
                protocol tcp;
                tcp-established;
            }
            then {
                count established;
                accept;
            }
        }
        term DNS {
            from {
                source-address {
                    8.8.8.8/32;
                    8.8.4.4/32;
                }
                protocol udp;
                source-port 53;
            }
            then {
                count DNS;
                accept;
            }
        }
        term internet_connection {
            from {
                interface-group 10;
            }
            then {
                policer bw-1Mbps;
                count internet_connection;
                accept;
            }
        }   
        term local_connection {
            then {
                policer bw-2Mbps;
                count local_connection;
                accept;
            }
        }
        term other {
            then discard;
        }  
    }      
    filter outgoing_traffic {
        term 192.168.2.5 {
            from {
                source-address {
                    192.168.1.7;
                }
            destination-address {
                 192.168.2.5/32
            }
            then {
                discard
            }
        }
        term other {
            then accept;
        }
    }
}

In the example above, package never gets to the term other, because it's accepted either in term internet_connection or local_connection. So basically this firewall doesn't work. How should I change this?

Or is it possible at all to have such policy terms and other terms all in one firewall filter?