Overview:By default, Junos boxes come in a "firewall mode" where the systems default-block traffic, and all ACL's are stateful. If you are only pushing bits and would rather the device run in a stateless mode, this can be done with a quick command and a reboot. (You can also run in a mode where some interfaces are stateless and some are stateful.)
Juniper calls its stateful setting as flow-based forwarding, and it stateless mode as packet-based forwarding.
An overview of the benefits of either are outlined as follows:
To enable packet based forwarding (stateless), commit the following and reboot the box.
set security forwarding-options family mpls mode packet-basedTo enable flow based forwarding (statefull - the default), commit the following and reboot the box. set security forwarding-options family mpls mode flow-basedthen reboot the box: > request system rebootStateless ACLs:Once you are in packet-based mode, you can throw everything under the security configs away. In fact, to commit the packet-mode, you probably needed to issue the command: delete securityIf you want to setup ACL's, you use the (wonderfully confusing) firewall family commands. Here's a simple example to control access to the loopback interface, such that it's bgp peer can talk to it, and the admins can ssh to it. ! allow admins to ssh to the loopback: set firewall family inet filter protect-RE term ssh-term from source-address 192.168.122.0/24 set firewall family inet filter protect-RE term ssh-term from protocol tcp set firewall family inet filter protect-RE term ssh-term from destination-port sshset firewall family inet filter protect-RE term ssh-term then accept! allow bgp peer to connect to loopback: set firewall family inet filter protect-RE term bgp-term from source-address 10.2.1.0/24 set firewall family inet filter protect-RE term bgp-term from protocol tcp set firewall family inet filter protect-RE term bgp-term from destination-port bgp set firewall family inet filter protect-RE term bgp-term then accept ! block and log everything else: set firewall family inet filter protect-RE term discard-rest-term then log set firewall family inet filter protect-RE term discard-rest-term then syslog set firewall family inet filter protect-RE term discard-rest-term then discard! bind the filter "protect-RE" to the loopback interface: set interfaces lo0 unit 0 family inet filter input protect-REHere's another funky example allowing all transit traffic though except udp and tcp, but allowing ssh and telnet though. ! allow all traffic except tcp + udp:set firewall family inet filter filter1 term term1 from protocol-except tcpset firewall family inet filter filter1 term term1 from protocol-except udpset firewall family inet filter filter1 term term1 then accept! block traffic from private ip range: set firewall family inet filter filter1 term term2 from address 192.168.0.0/16set firewall family inet filter filter1 term term2 then reject! allow telnet and ssh traffic though: set firewall family inet filter filter1 term term3 from destination-port sshset firewall family inet filter filter1 term term3 from destination-port telnetset firewall family inet filter filter1 term term3 then accept! block all other traffic:set firewall family inet filter filter1 term term4 then reject! create wan interface, and bind filter "filter1" to it: set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.3/30set interfaces ge-0/0/1 unit 0 family inet filter input filter1References:
|