O'Reilly logo

JUNOS Cookbook by Aviva Garrett

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

9.8. Creating a Simple Firewall Filter that Matches Packet Contents

Problem

The default router interface behavior is to allow connections from anywhere on the network, but you want to restrict access so connections can be made only from known subnetworks.

Solution

Use firewall filters to control which packets an interface allows to enter the router. You know that connections to the router use Telnet or SSH, so create a filter that checks for these packets. First, create the firewall filter:

	[edit firewall]
	aviva@router1# set filter incoming-to-me term restrict-telnet-ssh from protocol tcp
	aviva@router1# set filter incoming-to-me term restrict-telnet-ssh
 from destination-port[ telnet ssh ]
	aviva@router1# set filter incoming-to-me term restrict-telnet-ssh
 from source-address 10.0.0.0/8
	aviva@router1# set filter incoming-to-me term restrict-telnet-ssh then accept

Then, apply the filter to the router's interface:

	[edit interfaces]
	aviva@router1# set fe-0/0/0 unit 0 family inet filter input incoming-to-me

Here's what the firewall filter looks like in the configuration:

	[edit]
	aviva@router1# show
	firewall {
	    filter incoming-to-me {
	        term restrict-telnet-ssh {
	             from {
	                  protocol tcp;
	                  destination-port [ telnet ssh ];
	                  source-address {
	                      10.0.0.0/8;
	                  }
	             }
	             then accept;
	             }
	        }
	    }
	}
	interfaces {
	    fe-0/0/0 {
	        unit 0 {
	             family inet {
	                  filter input incoming-to-me;
	             }
	        }
	    }
	}

Discussion

Placing firewall filters on the router's interfaces is one of the most critical actions you can take to protect the security of the router ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required