Here’s sample firewall configuration in protecting the box and its services.
ICMP message types are essential for network administration and troubleshooting. There are quite a number of ICMP parameters, you can refer to
.
Here’s the 4 types I consider useful for troubleshooting and need to be allowed.Type 0 — Echo Reply –> response from target to host
set firewall policer limit-128k if-exceeding bandwidth-limit 128k
set firewall policer limit-128k if-exceeding burst-size-limit 15k
set firewall policer limit-128k then discard
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term ICMP_PING from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-request
set firewall family inet filter FIREWALL-RE term ICMP_PING from icmp-type echo-reply
set firewall family inet filter FIREWALL-RE term ICMP_PING then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_PING then count ICMP
set firewall family inet filter FIREWALL-RE term ICMP_PING then accept
set firewall family inet filter FIREWALL-RE term ICMP_TTL from protocol icmp
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type time-exceeded
set firewall family inet filter FIREWALL-RE term ICMP_TTL from icmp-type unreachable
set firewall family inet filter FIREWALL-RE term ICMP_TTL then policer limit-128k
set firewall family inet filter FIREWALL-RE term ICMP_TTL then accept
SSH:
It is recommended to use SSH for remote access for better security. Telnet is strictly discourage because of unencrypted communication for potential network sniffing.
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from source-prefix-list SSH-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from protocol tcp
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS from port ssh
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then count REMOTE_ACCESS
set firewall family inet filter FIREWALL-RE term REMOTE_ACCESS then accept
set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.101/32
set policy-options prefix-list SSH-PREFIX-LIST 192.168.10.102/32
where: 192.168.10.101 & 102 are the authorized IPs that are allowed to SSH into the device.
AAA(Tacacs):
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-prefix-list TACACS-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term AAA_ALLOW from source-port tacacs
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then count AAA
set firewall family inet filter FIREWALL-RE term AAA_ALLOW then accept
set policy-options prefix-list TACACS-PREFIX-LIST 192.168.10.200/32
where: 192.168.10.200 is Tacacs Server
SNMP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from source-prefix-list SNMP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW from destination-port snmp
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then count SNMP
set firewall family inet filter FIREWALL-RE term SNMP_ALLOW then accept
set policy-options prefix-list SNMP-PREFIX-LIST 192.168.20.200/32
where: 192.168.20.200 is SNMP Polling Server
NTP:
Juniper Configuration:
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from source-prefix-list NTP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW from port ntp
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then policer limit-128k
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then count NTP
set firewall family inet filter FIREWALL-RE term NTP_ALLOW then accept
set policy-options prefix-list NTP-PREFIX-LIST 192.168.30.200/32
where: 192.168.30.200 is NTP Server
IP Protocols
OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW from protocol ospf
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then count OSPF
set firewall family inet filter FIREWALL-RE term OSPF_ALLOW then accept
LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term LDP_ALLOW from port 646
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then count LDP
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept
set firewall family inet filter FIREWALL-RE term LDP_ALLOW then accept
RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW from protocol rsvp
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then count RSVP
set firewall family inet filter FIREWALL-RE term RSVP_ALLOW then accept
PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW from protocol pim
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then count PIM
set firewall family inet filter FIREWALL-RE term PIM_ALLOW then accept
IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW from protocol igmp
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then count IGMP
set firewall family inet filter FIREWALL-RE term IGMP_ALLOW then accept
MSDP
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW from port msdp
set firewall family inet filter FIREWALL-RE term MSDP_ALLOW then count MSDP
BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from source-prefix-list BGP-PREFIX-LIST
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from protocol tcp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW from port bgp
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then count BGP
set firewall family inet filter FIREWALL-RE term BGP_ALLOW then accept
set policy-options prefix-list BGP-PREFIX-LIST 192.168.40.0/24
Others
BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from protocol udp
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from source-port 49152-65535
set firewall family inet filter FIREWALL-RE term BFD_ALLOW from destination-port 3784
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then count BFD
set firewall family inet filter FIREWALL-RE term BFD_ALLOW then accept
Traceroute
set firewall family inet filter FIREWALL-RE term TRACEROUTE from protocol udp
set firewall family inet filter FIREWALL-RE term TRACEROUTE from destination-port 33434-33678
set firewall family inet filter FIREWALL-RE term TRACEROUTE then policer limit-128k
set firewall family inet filter FIREWALL-RE term TRACEROUTE then count TRACEROUTE
set firewall family inet filter FIREWALL-RE term TRACEROUTE then accept
FINALLY…. need to put this “discard” statement at the end.
set firewall family inet filter FIREWALL-RE term REJECT_ALL then count REJECT_ALL
set firewall family inet filter FIREWALL-RE term REJECT_ALL then discard
Be First to Comment