junos-firewall-filter
•
1 like•216 views
The document describes configuring a Juniper firewall filter to block ICMP echo requests from R1 to R2. It recommends applying the filter to interface 20.0.0.8/30 on device J10. The filter drops all ICMP echo requests and allows all other traffic. Applying the filter successfully blocks ping requests from R1 to R2 while allowing other protocols like telnet.
More Related Content
Viewers also liked
Viewers also liked (15)
Similar to junos-firewall-filter
Similar to junos-firewall-filter (20)
junos-firewall-filter
- 1. 01. Simple Tutorial on Juniper Firewall Filters R1 R2 J9 J10 20.0.0.0/30 20.0.0.4/30 20.0.0.8/30 e1 e0 e1 TooManyICMP The scenario is simple. R1 is sending too many ICMP to R2 and this needs to be stopped. Question to consider... do we place filters on 20.0.0.4/30 or at 20.0.0.8/30? If you know that the source of the ICMP is coming from R1, the 20.0.0.4/30 segment is good. Otherwise, placing it on the 20.0.0.8/30 segment is OK. It will buy you sometime for further investigation. Most of the time, the customer(R2) can only tell you that their IP xxx is currently experiencing an attack. They may not be able to tell you the source. In our case, we will make pretend that we DO NOT know the source of the ICMP. We will configure filters on 20.0.0.8/30 interface em1. J10 – Define the firewall firewall { family inet { filter no-icmp { term 1 { from { icmp-type echo-request; } then { reject administratively-prohibited; } } term 2 { then accept; } This rule will do the job There is an IMPLICIT DENY rule if you DON'T include this in term 2. You have been warned. Note the many types of ICMP J10 - Apply this rule to your target interface kjteoh@JunOS-10> show configuration interfaces em1 description J10-R2; unit 0 { family inet { filter { output no-icmp; } address 20.0.0.9/30; You only need an output rule here R1 – After application of the rule ... R1#ping 20.0.0.10 Sending 5, 100-byte ICMP Echos to 20.0.0.10, UUUUU Success rate is 0 percent (0/5) You can add this if you're interested then { count icmp-count; reject administratively-prohibited; } J10 – firewall counters / hit rates kjteoh@JunOS-10> show firewall counter filter no-icmp icmp-count Filter: no-icmp Counters: Name Bytes Packets icmp-count 152000 1580 In the alternative to “administratively-prohibited”, you can use “discard” which will dissolve the pkt. NB: We should note that all other protocols between R1 – R2 should work … eg. R1 telnet R2... OK R1#telnet 20.0.0.10 Trying 20.0.0.10 ... Open User Access Verification Username:
- 2. R1 R2 J9 J10 20.0.0.0/30 20.0.0.4/30 20.0.0.8/30 e1 e0 e1 TooManyICMP 02. Simple Tutorial on Juniper Firewall Filters – A place for Notes. kjteoh 30/6/2016