83. Firewall Filters
Let’s now talk about firewalled filters, firewalled filters provide rules that define whether to accept or discard packets that are transiting an interface. At first it sounds like we’re talking about a security policy. Security policies can be configured to control traffic that is passing through the device. It sounds like firewalls, filters are doing the same thing, but there is a difference. Just stay with me here for a minute and we’ll talk about it. If a packet is accepted by the firewall filter, we can apply actions like class of service and traffic policing. Class of service is a technique which is used to group similar types of traffic together and treat each type of traffic as a class with its own service priority. Traffic policing is a technique which is used to control the maximum rate of traffic sent or received.
Firewall filters are also referred to as access control lists on equipment from other vendors. Firewall filters can be configured to accept or discard a packet before it enters or exits a port or interface. And that’s the key function of a firewall filter. It can help you deal with a packet right at the entry point or right at the exit point. Let’s compare this to a security policy. Imagine we have a security policy that has been configured to block ICMP traffic, but the security policy comes into action when the traffic has already entered your device. That’s when you’re applying the policy, whereas a firewall filter can stop that traffic from entering the device completely because it can be applied right at the interface. So we can use firewall filters to block unnecessary traffic and we can also use it for rate limiting purposes. So far, filters can be used to do the following, restrict traffic destined for the routing engine. Based on its source, protocol and application, we can also limit the rate of packets destined for the routing engine to protect against flood or denial-of-service attacks.
Normally, firewall filters are configured to enhance the security of the device by using packet filtering techniques. Firewall filters are state less in nature. So every packet is examined individually, packet contents are evaluated aesthetically. And it does not keep track of the state of network connections. What this means is, let’s say we have a sequence of packets arriving at the device and let’s say the firewall filter has decided to allow the first packet in that sequence. This will not mean that the remaining packets will also be allowed because every packet is examined individually and firewall filters have no concept of connection state. They do not track the state of a connection. So every packet is going to be inspected individually. Let’s not talk about the components of a firewall filter. Routing policies and firewall filters have a common structure. The fundamental building block of a firewall filter is a term just like that of a routing policy. Firewall filters require at least one term.
If I woelfel her term contains match conditions and actions, if all the match conditions are true, the actions specified within the term is taken. If no match conditions are specified, all traffic is considered to be a match. Very important to keep in mind when implementing firewall filters, the order of terms is important and can impact results. Let me give you an example. Let’s say we can figure a firewall filled her term that is designed to block ICMP traffic. But let’s say that’s the only term that we define. If we can figure it like this, we’ll end up blocking all traffic on the device. Very important to keep in mind when implementing firewall filters, the order of terms is important and can impact results. Another important thing to keep in mind is that firewall filters include a default term that discards all packets that the configuration does not explicitly permit through the defined terms. Let me explain this to you with an example.
Let’s say we can figure a firewall filled her term that is designed to block ICMP traffic. And that’s the only term that we define, if we can figure it this way, will end up blocking all traffic on the device, because the first term that we configured is designed to block ICMP traffic. But under that term, there is an implicit term that will block all other traffic. So this is very important to keep in mind, any traffic that we don’t wish to block must be explicitly allowed. The default term looks like this. It’s an implicit rule. The action is to discard the packet. With firewall filters, we can define firm statements in the from statements you specify characteristics that the packet must have for the action in the subsequent then statement to be performed. This is similar to a routing policy you have from statements which act as match conditions and you have the then statement that defines the action to be taken. The characteristics that were defined in the first statement are called as match conditions.
If a term contains multiple match conditions, the packet must match all match conditions to be considered as a match for that term. The scope of match conditions that we can define depends on the protocol family under which the firewall filter is configured. So the match conditions that we can use will depend on the protocol family that we’re trying to match. We can use match conditions such as IP source and Destination Address Field, TCAP, or UDP Source Porterfield IP Protocol, Field ICMP packet type IP options, TCAP flags, incoming interface and outgoing interface. So as you can see, there are so many options that we can use to define what packett is considered as a match. Now, let’s talk about the actions. There are three types of actions that we can define. The first is a terminating action. Second, we have a non terminating action. And third, we have a flow control action. Let’s first talk about a terminating action. A terminating action stops evaluation of a firewall filter for a specific packet. The specified action is performed and no additional terms are examined.
Examples of terminating actions include accept, discard and reject. Let’s talk about these. The accept action causes the system to accept the packet. The discard action causes the system to silently discard the packet without sending an ICMP message to the source address. The reject action causes the system to discard the packet and send an ICMP message back to the source address. Now, let’s talk about non terminating actions. These are used to perform functions such as incrementing a counter, logging information about the packet header, sampling the data or sending information to a remote host. Examples of non terminating actions include account log police are or cis log. Let’s talk about these that count. Action is used to count the number of packets, the log action is used to log the packet header information. The police or action can be used to define a police or to raid limit traffic.
This is Lugg action will log the packet to the system log file. An important thing to keep in mind, using a non terminating action without an explicit terminating action will result in a default terminating action of except. So if you wanted to log the packet and discarded, you would have to explicitly configure that. Otherwise, the system will log the packet and accepted by default. So this is very important to keep in mind in non terminating action without an explicit terminating action will result in the packet being accepted. To prevent the firewall filter action from terminating, we could use the next term action after the non terminating action. So let’s say you decide to log a packet, but you want a packet to be evaluated by the next term. In that case, we can use the next term action by doing it this way when the packet is logged. The evaluation is not terminated, but it moves on to the next term. Let’s now talk about flow control actions. This allows the device to perform configured actions on the packet and then evaluate the next term in the filter rather than terminating the filter. This is the next term action. Now that we’ve understood what five filters are used for and the components that make up a firewall filter in the upcoming video, we’ll understand how to configure a firewall filter.
84. Configuring Firewall Filters
Now that we’ve understood what a firewall filter is and what the structure of a firewall filter looks like. Let’s talk about how to configure these filters. Let’s first start by talking about how to apply the filters or where can we apply the filters? Firewall filters can be applied to all interfaces to filter traffic that is entering or exiting them. What’s interesting is that a firewall filter can also be applied to the loopback interface, which is El O0. And this will allow you to filter traffic destined for the system or the routing engine itself. Ellos 0 or the Lookback interface is the interface to the routing engine. When a filter is applied to the loopback interface, the filter evaluates the packets received or transmitted by the routing engine. In fact, this is something we’re going to implement in the next few minutes. We’ll apply a filter on the loopback interface to filter traffic that is destined for the routing engine.
And IPv6 filter cannot be applied to an IPv4 interface. It is important to keep in mind that the protocol family of the firewall filter and the protocol family of the interface on which the filter is applied must match. Let’s see a configuration example. So here we have an interface. G is 0 0 one. Under a unit 0, under a family I it we applied to filters. Notice the keywords, input and output. That is what determines which direction are you applying the filter in. The input keyword is used to apply a filter for incoming traffic. The output keyword is used to apply a filter for outgoing traffic. Having understood this, let’s do some configuration examples. Let’s configure a firewall filter that will deny ICMP traffic destined for the SRX device itself. And let’s also configure a firewall filter to deny all Telnet traffic destined for the SRX device. Let’s get to the terminal. All right. I’m here at the Junos terminal. And right now I’m in the operational mode. Let’s first enter the configuration mode. The firewall filter is configured from the edit firewall hierarchy. Let’s do that. And it firewall and I’ll start with show. So right now, we do not have any configuration. Let’s start by defining a filter. So we’ll set edit filter and let’s give this a name. Let’s just call it as block. Tallit and ICMP or let’s call it Block ICMP. That. So now we are in the filter configuration mode. Now we need to define a term. Let’s call this as added term. And the name of this term is Block ICMP. Now we need to match the traffic. So let’s do set. And let’s see what options we have available over here.
By using the question mark so we can see it from and then let’s start with from an old start with a question mark. And you’ll notice there are so many options to match traffic. We can match ICMP information. We can match. Protocol. We can match port. We can match TCAP flags, connection, state packet length. There are so many options that we can match on. Right now, we are trying to match traffic that belongs to the ICMP protocol. So we’ll use this keyword here. The protocol keyword controls you to exit. So let’s do set from protocol. And if we do a question mark here, these are the options that we can match. We’ll say ICMP and press enter. We need to block this traffic, so we’ll say set. Then let’s do a question mark and you’ll load as we have so many options here as well. We can count the packet.
We can log the packet. We can set a forwarding class. We can police the traffic. We can reject the traffic. We can discard the traffic. We can also accept the traffic. We are trying to block ICMP traffic. So let’s do set, then discard. Let’s do a show here. So that’s the term that we’ve defined. It’s matching the ICMP protocol and it’s set to discard the traffic. Let’s also do set then log that we can take a look at the firewall log and see if the packet was discarded. Let’s also do a count said then count. I’ll do a question mark here. And we need to provide a name for the counter. Let’s just call it as block ICMP Counter Press enter. And let’s go one level up and do a show. So that looks good. We are matching the ICMP protocol and we are discarding the traffic. We are also logging the traffic and we are also incrementing acounter called Block ICMP Konar. The configuration looks good, but we still have something else to configure. What do you think will happen if I committed the configuration right now?
ICMP be blocked? The answer is yes. But is ICMP the only protocol that will be blocked? The answer is no. We understood in the last lecture that by default, all firewall filters have an implicit deny at the bottom. We can’t see it, but it’s there. So if we commit the configuration right now, this term will block ICMP traffic. And the implicit denied statement will block everything else. So we need to account for that by adding another term that will allow all other traffic. Let’s do that. We’ll say edit term and we’ll say allow all. We don’t need to provide a firm statement because we want to match everything else. We’ll just say set, then accept. Let’s go up and do show. So now we have this term over here. Anything that does not match this term will match this term and that will be accepted. I’ll go to the top of the configuration and commit my changes. Now the filter is ready, but we haven’t applied it. We need to apply the filter. We’re going to apply this on the loopback interface. Remember, the loopback interface is the interface of the routing engine, and we are trying to block ICMP traffic destined for the routing engine. So we’ll apply it on the Lubeck interface. So we’ll set edit interfaces. El O0, Unit 0 family eyen it. And now if we do set space question mark, we can see that we have the option to apply a filter. Let’s do that. Set filter. Question mark.
We can apply an input filter or we can apply an output filter. In this case, we’re going to apply an input filter. And that’s the filter name. Block ICMP, tell it all, press enter. And before we commit the configuration, let’s see. ICMP is working right now. For that, I need to grab the IP address of my interface. I’m going to say a run show interfaces ters and I have a device that is connected to this interface. That’s my trust interface. And I already have a device connected to that interface somewhere to copy that IP address and go over here to the device that’s connected to that interface. And let’s first try to ping. Let’s do ping. And we can see that we are getting a response. Well, who controls you to exit? We’ll come back over here and let’s commit our changes. That’s done, so let’s go back over here and try to ping one more time. The interesting thing to notice is that we’re getting no responses at all because the action is set to discard. Remember, this card will drop the packets silently. So let’s do this, let’s go back over here. Let’s go into the firewall filter configuration, added firewall filter. Block ICMP Telnet. Let’s do a show first and let’s change this action to reject and see what difference does it make. So we’ll say set term, block ICMP, then reject. And let’s do a show first.
OK, so now we’ve changed it to reject. Well, let’s do a comet. And let’s go back over here and try the ping again. And now we can see that we are getting a message from the firewall. It says your packet is being filtered. So Reject will cost a packet to be dropped. And it will also send you an ICMP unreachable message. So we can see the difference between discard and reject, live in action. Controls you to exit out? Let’s go back to the SARS device and let’s see how we can verify this. We’ll go back to the operational mode and we’ll do show firewall. That’s the command to view the firewall filter statistics. So show firewall question mark. And let’s start with the log show firewall log. We should be able to see the Lugg because we have logging configured in the term. Let’s do that show firewall log. And here we can see that this is the interface on which the traffic is received. This is the protocol source, IP address, destination IP address. And the action is reject. Before we said the reject action. We had the discard action. And that can be seen here. The action was set to discard. We can also do show firewall and we can do filter and specify the filter name. And there we can see the counter for that firewall filter. This is the counter that we specified and we can see the packet count over here. Let’s go back to the configuration mode and configure the second filter, which is to block Telnet traffic. But before we do that, let’s see if Telnet is working. So I’m going to copy that IP address and see a Telnet that IP address. And we can see that the firewall is accepting the Telnet connection. Let’s configure a filter to block this traffic. So back to the firewall will enter the configuration mode and let us enter the filter configuration mode.
So added firewall filter. Block ICMP Telnet. We’re going to configure a new term. So let’s do edit term and let’s call this block Telnet. Now we need to match the traffic. So we’ll do set from. We’re going to use the port keyword over here to match the TCAP or UDP source or destination port. You could be very specific as well. You could say, I only want to match the destination port because tell the traffic is destined on Port 23. So you could do destination port. We are just going to use port for now, which will match either source or destination. So set from port. Let’s do a question mark. And here’s all the applications. We are going to use this one here, Telnet. Let’s do a show. So we’ve said we want to match on the Telnet port. When configuring firewalls filters, an important thing to keep in mind is that you need to be as specific as possible, even though we’re seeing the Telnet port. It actually means we are trying to match Port 21. Right. But it really would like this. It will affect all traffic that is destined for Port 21, even UDP traffic. So we need to be very specific. So we’re going to say set from protocol and we’re going to match the TCAP protocol. This is very important to keep in mind. Firewall filters have to be very, very specific. Otherwise, we may end up blocking traffic.
That is not meant to be blocked. Let’s do a show here. So we are saying we want to match the TCAP protocol and the Telnet port. Let’s set the action set, then reject. Let’s also love this packet set, then log. And let’s also send this to the syste log. Let’s do set then says log. We can see that action over here. Let’s do a show. All right. So we are matching TCAP and Paul 21. And we have the actions configured over here. Now, we don’t need to apply this again because the filter is already applied on the loopback interface. So all we need to do now is commit the changes. Let’s do commit. And let’s go back to the host over here. The previous Telnet session has timed out. So let’s give this a try again. I’ll hit the Aperol again and press enter and we can see that the Telnet is still working. The firewall filter that we configured is not correct. Can you think of a reason why? What do you think is incorrect in this configuration? We are matching TCAP. We are matching the Telnet port.
We are rejecting the traffic. Why is it not working? Take a moment if you need to pass the video and think about it. Why is the filter not working? In the last video we discussed that the order or firewall filters is very important. Firewall filters are evaluated in order. So if I go one level up and if I do a show here, you will notice that this term is shadowing this term. All traffic first tries to match this term here. Then it tries to match this term here and then evaluation stops because all traffic is going to match this term. The term that we define now is never going to match. So this is an important learning that the firewall filter terms should be correctly ordered. Now, what we need to do is insert this term above this term. Let’s do that. The keyword is insert. Insert. Term and we are trying to move the block Telnet term. And we want to move it before. So we’ll see it before term and the term name is Allow All. If we do a show now, we can see that we have Block ICMP. We have blocked Telnet and we have allow all. Now, this looks good. Let’s do a commit and let’s go back over here and let’s give this a try. Telnet IP address press enter. And we can see that we are no longer able to tell it.
Now the error message that you see here is not correct. There is some configuration on this host that is giving me this error message which says no route to host the error message that we should get is that the connection has been filtered or the connection has been dropped. But nevertheless, we know that the filter is working. Talent is being dropped. Let’s go back over here and take a look at our log setup. Exit a let’s do show, firewall, log, press, enter. And here we can see the packet that has been matched. This is the IP address of that packet. Protocol is TCAP. That’s the interface. The trust interface. And that’s the destination address or the trust interface address of the firewall where the packet was dropped.
For this firewall filter, we also configured this log and all my source log messages are forwarded to the messages log file. So if we did show log messages and if we tried to match the port number, which is twenty three, we should see something show log messages. That’s my says log file. And we’re trying to match the port number on which the connection was made. Port twenty three. And we can see that over here. That’s the connection that was drop. We can see that the interface is G easier, is it a 1.0? That’s the IP address of the host from where we tried.
And that’s the firewall IP address. And that’s the port. No. If we want to verify it further, we can copy that says love message code, and we can do help, says Log. The message code press enter and we can see that that message code means that the IP packet matched a stateless firewall filter. Similarly, we can also apply firewall filters for traffic that is leaving the device or outgoing traffic. The important thing to keep in mind is that when you design a firewall filter, you need to be very specific in terms of what you’re trying to match. Always keep in mind that there is an implicit deny. We need to account for that by adding a term that allows everything else that we don’t want to block. And also the order of terms is very important.
85. Traffic Policing
Let’s now talk about an interesting topic called traffic policing. Traffic policing allows you to control the maximum rate of traffic sent or received on an interface. It is also sometimes referred to as rate limiting, and it is designed to thwart denial-of-service attacks. Traffic policing can be applied to both inbound or outbound traffic. Policing inbound traffic allows you to conserve resources by dropping traffic. That does not need to be routed through a network. While policing outbound traffic allows you to control the bandwidth that is being used. Traffic policing employs what is known as a token bucket algorithm, which enforces a limit on the average bandwidth while still allowing bursts up to a specified maximum value. Here’s a simple explanation of the token bucket algorithm. It starts with a token allocator. This is the process or the entity that’s responsible for generating tokens.
To understand this in simple terms, think of the tokens as the number of bids that is allowed to pass through the interface. The tokens are accumulated in a token bucket. When an incoming packet arrives at the interface, it will check to see if there are enough tokens available. If we do have enough number of packets available, the packet will be allowed to go through. That’s a very simplified explanation of what the token bucket algorithm does. So if we look at it from a police standpoint, this is how it works. You have the incoming packet. The incoming packet will first be evaluated by the police or the police or will decide if the traffic is within the allowed threshold. If that’s the case, the packet will be accepted. But if the traffic is exceeding the threshold, the packet will be dropped. Instead of dropping the packet, we could also decide to accept the packet. But with a lower priority.
When configuring your traffic, police are on the Junos device, there’s two rate limits that we need to configure. Number one, we have the bandwidth. This defines the number of bits per second that is permitted on average. And we can also define the purse size. This is the total number of bytes that the system allows during a burst. The bar size defines traffic that exceeds the bandwidth. So when you’re configuring a traffic police are on the Junos device, you’ll need to configure two values. The first is bandwidth, which decides how much traffic do we want to allow on average. And we also need to configure the birth size, which decides how much traffic. Are we allowing to burst above the bandwidth? So here’s a sample configuration off traffic police are. Under the edit firewall hierarchy, we have a police are called drop access. The key word is if acceding. And then we defined the bandwidth limit. This is the allowed traffic limit. And then we also define the burst size limit once we have configured the police, are we then need to reference that inside a firewall term?
So going back to the police are for a minute any traffic that exceeds the configured bandwidth will be discarded. Once we have configured the police, are we then need to reference that within a firewall filter? Term? Now let’s get to the Junos terminal and see how to configure this. All right, I’m here at the Junos terminal. Let’s first enter the firewall configuration mode, added firewall. And if we do edit space question mark here, you’ll notice we have the option to configure a police car. So let’s do that at it. Police are. And now we need to provide a name to call this as drop excess. OK, so now we are under the police reconfiguration mode. And if you do a sad question mark here, we have the key word called if exceeding question mark again. And you’ll notice that we can configure the bandwidth limit and the burst size limit. Also, notice the bandwidth can also be specified as a percentage. Right now, we’ll configure the bandwidth limit. Notice here that the bandwidth limit has to be configured as bits per second and the minimum bandwidth that we can configure is thirty two thousand bits per second, which is four kilobytes. So let’s do that said if exceeding bandwidth limit. Thirty two thousand. And we’ll say a set burst size limit. Or set if exceeding birth size limit. And notice that this value has to be specified as bite’s and the lowest possible value is one thousand five hundred. We’ll set that. We also need to specify what happens to packets that exceed the configured value. So we’ll see a set then discard. Let’s go up and do a show. So we’ve configured our threshold values and we’ve configured this card as the action for packets that exceed these values.
Now we need to configure a firewall filter and reference the police here. So let’s do edit filter and let’s just call this one as a filter one. Then we need to configure a term. Let’s do edit term and I’m going to call this as police excess. Or I’ll just call it, as police are for this term. I’m not going to provide a firm statement because I want all traffic to match this term. So we’ll directly go to set. Then we’ll first apply. The police are. And the police, her name will also said set, then accept. So that will allow packets to go through the firewall term, will also log this set, then log. And let’s also count the packets set, then count. And let’s give this a name. Let’s call this as police to count. Let’s go up. And let’s do a show. So here we’ve got the police here with their configured values. And here we’ve got the firewall term that is referencing the police here. And it’s also set to count the police to. And it also allows traffic to go through. Finally, we need to apply this on the interface. So we’ll go to the top and we’ll apply this on an interface. I’m going to apply this on G. 0 0 one, because that’s where I have a host connected and we can test this configuration. Set interfaces to easier. 0 one. Unit 0, family net filter in the inbound direction and the name of the filter, which is filter one, finally will commit to changes.
Now, let’s go to the operational mode and first take a look at the firewall counters. So right now, we can see that all the counters are set to 0. I’m going to hop on to another tab here where I have the connected host to test this. I’m going to use a utility called H being three. This is a utility that allows you to craft custom packets so we can set the size of the packet. We can decide what protocol we want to use. What flags we want to set, etc.. I’m trying this from a Ubuntu machine, so I’m going to use this utility called HPN three and I’m going to reach for that to the to that two will send 10 packets sees for count. And we are going to use the ICMP protocol. And I want these packets to be sent faster than normal. So that’s the switch for that. And Hyphen D is to set the size of the packet. Let’s start with five hundred. I’ll press enter. And here we can see that we have 0 packet loss. So 10 packets and 10 packets received.
If we go back to the SRS device here and if we do show firewall. We can see that 10 packets have matched and none of the packets have been dropped. Now let’s clear these counters, clear firewall all. So show firewall will show us 0 packets. Let’s go back over here and increase the size of the packet. Let’s change this to 1000. And now we can see that we have a 50 percent packet loss. So if you go back over here and if we do show firewall, we can see that five packets went through and five packets were policed or dropped. Let’s clear it one more time. And let’s go back and change the packet size this time, let’s do maybe thousand three hundred. This time, we have a 60 percent packet loss.
Only four packets came back. So if we go back over here and if we do show firewall. We can see that four packets were allowed to go through and six packets were dropped. So that’s how we can figure a traffic police are an important thing to keep in mind is that traffic police service can not only be used to drop packets, they can also be used to forward packets or accept packets with lower priority and traffic policing can be applied on inbound and outbound packets.
