強化Juniper SRX (Junos OS) DDoS的安全防護–使用firewall filters來保護路由引擎


強化Juniper SRX (Junos OS) DDoS的安全防護使用firewall filters來保護路由引擎

在閱讀下面文章之前,請先閱讀下列的網路連結:



在這裡我們引用薑汁啤酒大大的文章,並加以補充小弟會用的到的功能,尚請多多見諒。
在開始之前,我們要先說明本段的主要概念:利用firewall filter的功能,將要進入路由引擎(設備本身)的流量進行篩選,一一開放我們需要的流量,然後再針對會造成DDoS攻擊的流量加以禁止或限速(限制流量大小以避免cpu過載導致系統癱瘓),最後將所有用不到的流量一律禁止拒絕。
也就是說我們必須明確知道有哪些流量是我們需要的,會用的到的,並將其列入開放的流量之中,否則您會發現有部分您需要的功能無法使用,而造成我們維運的困擾。

速率限制控制流量有助於保護路由引擎免受攻擊資料包攻擊偽造成它們似乎是合法的流量,然後以如此高的速率發送,從而導致DoS攻擊。

路由和控制流量對路由器的正常功能至關重要,路由協議的快速收斂對於在網絡不穩定時穩定網絡至關重要。雖然限制路由協議流量以防範各種類型的攻擊似乎是可取的,但要確定協議流量的固定最大速率(a fixed maximum rate)是非常困難的,因為它取決於隨時間變化的對等點和鄰接點的數量。
因此,最好不要對路由協議(routing protocol)流量進行速率限制。

相比之下,由於管理流量與路由協議流量相比不那麼重要且更具確定性,因此可以將其管理為固定速率,以防止其消耗靈活流量所需的資源。我們建議為每種類型的管理流量分配固定數量的帶寬,以便攻擊者在使用任何單一服務啟動攻擊時不會佔用路由器的所有CPU


路由引擎保護設計邏輯
設計思路解析
首先,我們需要把到達路由器路由引擎的流量分為兩大類:


1.管理類流量
2.協議類流量


其次,分別列出以上兩類流量的所有協議。
舉例說明:

管理流量
一般為SSHSNMPNTPRadiusICMP以及traceroute
由於防火牆過濾器(Firewall Filters)是屬於非狀態化(Stateless)的防火牆功能,並無法辨別現在收到的流量是否為剛剛發往外界的流量的回覆,因此,只要是跟路由器路由引擎會有業務往來的站台或網路設備,您都要明確的開放其返回流量。
也因此,對於路由器發往外界的流量,我們也需要個別建立一個條目(term)來允許其返回的流量。例如Radius的請求回覆等。

這一點很重要,因為我們所規劃用來保護路由引擎的防火牆過濾器Protect-REprotect routing engine的設計邏輯就是:在開放了所有允許的流量之後,最後會將所有未被允許的流量全部丟棄,這是屬於deny all的設計方式(filter的最後一個條目設計成then reject)
也因此讓filter Protect-RE的設計與維護變得更加的困難,您必須確定所有用的到的流量都有開放,否則勢必會有部分的網路功能因為沒有被開放到而不能被使用,但幸好我們只是將filter Protect-RE套用在路由引擎上面,而不是一般的入、出口介面上,所以並不會影響到一般的網路訪問行為,只有在當您要訪問的對象是SRX網路設備本身時才會受到filter Protect-RE的影響。
而一般的防火牆過濾器的設計邏輯則是屬於allow all的設計方式,也就是在開放或是阻擋了目標流量之後,將filter的最後一個條目(term)設計成then accept,這個設計邏輯我們稍後會常常看到。這是因為在防火牆過濾器中,會對傳入的流量按順序逐條的與每個條目(term)進行匹配條件比對,如果都沒有匹配,則流量將作為隱式拒絕(implicit deny)而被丟棄(這是屬於deny all的隱式設計方式)。所以一般我們會在防火牆過濾器的最後一個條目加入accept all條目
顯式的Deny All設計方式:
firewall {
    filter Protect-RE {
        term Allow-fragments {
            from {
                is-fragment;
            }
            then {
                policer limit-1m;
                count Protect-RE-Allow-fragments;
                accept;
            }
        }
        term Deny-all {
            then {
                count Protect-RE-Deny-all;
                log;
                reject;
            }
        }
    }
}

隱式的Deny All設計方式:
firewall {
    filter Protect-RE {
        term Allow-fragments {
            from {
                is-fragment;
            }
            then {
                policer limit-1m;
                count Protect-RE-Allow-fragments;
                accept;
            }
        }
    }
}

Accept All的設計方式:
firewall {
    filter Protect-RE {
        term Allow-fragments {
            from {
                is-fragment;
            }
            then {
                policer limit-1m;
                count Protect-RE-Allow-fragments;
                accept;
            }
        }
        term Accept-all {
            then {
                count Protect-RE-Accept-all;
                log;
                accept;
            }
        }
    }
}

而這樣的規則適用於input命令
interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input PROTECT_RE;
                }
            }
        }
    }
}

但如果是input-list命令就不適用了如下所示
input-list [ Management-Access Protect-RE Discard-All ]

我們總共要套用三個filter到介面上,如果我們在第一個filter Management-Access採用了Accept All的設計方式,那麼後面的兩個filter就永遠都沒有作用了,這是因為數據包會在Management-Access的最後一個條目被放行(accept)的緣故。
因此,若是要讓input-list能夠正確的運作,我們就要用隱式的Deny All設計方式來設計防火牆過濾器,最後再加上Discard-All或是Accept-All過濾器即可。

Discard-All或是Accept-All過濾器的設計方式如下所示
firewall {
    filter Discard-All {
        term 1 {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                count Filter-Discard-All;
                syslog;
                discard;
            }
        }
    }
}



協議類流量
一般為OSPFRIPBGP。或者MPLS類的LDPRSVP等。
根據協議埠的特性,要在條目中寫出開放的源和目標埠,以及允許協議類流量進入路由引擎的左右鄰居的地址集區。


分析完畢以後,讓我們來看個編寫案例, Juniper Firewall Filters 的編寫案例與解析。



我們在此先對firewall filter的使用解釋下,請看下列兩行命令:
set firewall filter Protect-RE term Allow-DHCP from port dhcp
set firewall filter family inet Protect-RE term Allow-DHCP from port dhcp

其中firewall filterset firewall filter family inet的差異在哪?
請看下列展示的內容:
[edit]
root@srx100# set firewall ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> family               Protocol family
> filter               Define an IPv4 firewall filter
> interface-set        Interface set definition
> policer              Policer template definition
[edit]
root@srx100# set firewall family ?
Possible completions:
> any                  Protocol-independent filter
> bridge               Protocol family BRIDGE for firewall filter
> ccc                  Protocol family CCC for firewall filter
> inet                 Protocol family IPv4 for firewall filter
> inet6                Protocol family IPv6 for firewall filter
> mpls                 Protocol family MPLS for firewall filter
> vpls                 Protocol family VPLS for firewall filter
[edit]
root@srx100#
原來兩者代表的意思是相同的,firewall filter預設是使用IPv4協議,也就是我們平常所使用的IP位址之協議。
我們可以設定firewall filter來為不同的協議族群來服務,而協議族群的內容則根據設備平台的不同而有些許差異。



關於增加防火牆的效能方面
SRX防火牆過濾器(firewall filter)之中含有許多的條目(term),每個條目就代表了一條防火牆規則,您可以在每個條目中指定匹配的條件,以及條件匹配時所要採取的操作。
既然防火牆CPU的效能是固定不變的,那我們又要如何來提升其效能呢?答案就在防火牆規則的設計與安排之中。
在防火牆規則之中,每增加一個匹配條件,就會多消耗一分防火牆資源,這在流量大的網站上尤其明顯,所以使用盡量少與正確有效的匹配條件是我們大家所要努力達到的。
假設某個防火牆過濾器有100個條目,當一個數據包進入時,就會從第一個條目開始比對匹配條件,若不符合匹配條件,則繼續比對下一個條目,一直到出現符合的匹配條件時才會對數據包執行操作作業。如果都沒有符合匹配條件的條目,若您的過濾器是設計成allow all,則此數據包會在最後一個條目(100個條目)被放行,相反的,若您的過濾器是設計成deny all,則此數據包就會在最後一個條目被丟棄。
這個時候問題就來了,假設您有一個符合您網路中50%流量的條目,然後您又沒注意到將它放在第90條的位置上,導致您網路中50%數據包都要經歷從第一個條目比對到第90個條目的過程,造成網路效能低下,然後您的老闆恰巧知道了這件事,很認真的考慮您是否適任的問題...。當然,這只是假設而已。
那我們又要如何來知道那些條目才是最熱門的呢?我們可以透過為每個條目設定計數器(counter)來達成。(PS:這些counter存在於srx設備的記憶體之中,重開機計數就會歸零。)
例如執行下列之命令:
root@srx100a> set firewall filter In-bound term IPsec then count In-bound-IPsec

然後我們可以透過下列之命令來查看:
root@srx100a> show firewall filter In-bound
Filter: In-bound                                              
Counters:
Name                                           Bytes              Packets
In-bound                                      572096                 4228
In-bound-IPsec                                566200                 4163
In-bound-IPsec-udp                              4408                   29
In-bound-OSPF                                      0                    0
Policers:
Name                                           Bytes              Packets
Limit-20m-Limit-20m                                                     0

或是您也可以執行下列之命令來查看:
root@srx100a> show firewall filter   /* 查看所有的計數器 */
root@srx100a> show firewall filter In-bound counter In-bound-IPsec-udp
root@srx100a> clear firewall all   /* 將所有的計數器清除歸零 */

最後我們可以根據收集到的計數器統計數據資訊,來調整防火牆過濾器條目的順序,從而達到最佳化的目的。



在開始之前的說明:
因為防火牆過濾器Protect-RE是屬於deny all的設計方式,所以為了避免影響到正常運行中的網路環境,除了為每個條目設定計數器來觀察流量並調整條目順序之外,我們還要先試營運進行測試,也就是試營運期間我們將最後的deny all條目改成accept all,同時紀錄記數器以及syslog,然後來觀察統計syslog內容,因為正常運行後的最後一個條目是deny all的,所以觀察其流量內容但不丟棄掉實屬必要,以避免有錯殺業務流量之嫌。
幸好我們只是將防火牆過濾器Protect-RE套用在路由引擎上面,而不是一般的入、出口介面上,所以我們要觀察的對象只是企圖訪問SRX網路設備本身並且將會被拒絕的流量而已。
在試營運期過後,當您確定沒有誤殺的流量之後,您就可以將最後一個條目改回deny all的方式了。
由於每個單位的網路使用環境並不相同,所以我們會盡可能的收集各種可行的條目,好提供給大家參考之用。



條目注釋:我們在這裡所建立的地址池清單會在後面的條目(term)中引用。
set policy-options prefix-list BGP-Neighbors apply-path "protocols bgp group <*> neighbor <*>"
set policy-options prefix-list IPv4-Interfaces apply-path "interfaces <*> unit <*> family inet address <*>"
set policy-options prefix-list OSPF-All-Routers 172.16.123.68/32
set policy-options prefix-list IPSec-Peer-Addresses 172.16.123.68/32
set policy-options prefix-list NTP-Servers apply-path "system ntp server <*>"
set policy-options prefix-list SNMP-Servers apply-path "snmp community <*> clients <*>"
set policy-options prefix-list RADIUS-Servers apply-path "system radius-server <*>"
set policy-options prefix-list LOCALHOST 127.0.0.0/8
set policy-options prefix-list Mgmt-nets 192.168.1.150/32
set policy-options prefix-list Mgmt-nets 192.168.1.200/32
set policy-options prefix-list Mgmt-nets 192.168.5.0/28
set policy-options prefix-list Mgmt-nets 192.168.5.150/32
set policy-options prefix-list Mgmt-nets 192.168.5.200/32

關於設定上的小技巧
由於Juniper Junos CLI 命令在配置時其內建的命令元素都只能使用英文小寫字母,所以我們強烈建議大家在設定使用者自訂義的變數名稱時使用大寫的英文字母來表示,這樣我們在察看配置時就能夠清楚的分辨哪些是自訂義的變數名稱,而哪些又是內建的命令元素了。通常我們將變數名稱的第一個字母使用大寫即可,但您也可以全使用大寫來表示變數名稱,依據您的習慣而定。

使用Apply-path構建動態前綴列表(Dynamic Prefix-lists)
默認的拒絕防火牆過濾器(deny firewall filter)管理起來可能有些麻煩因為您只允許特定的主機和協議來通過防火牆並拒絕其他所有的未經允許的流量。
那麼,如果您更改NTP服務器或添加新的BGP對等設備,會發生什麼情況? 沒錯,你必須記得更新防火牆過濾器,否則它將無法正常運作。
Junos中的apply-path 功能可用於來自Junos configuration 特定的匹配的模板來動態地創建前綴列表。 這可以減少配置中冗餘信息的發生次數,使其更具可讀性並減少配置疏忽的可能性。
在匹配模板中我們會使用到萬用字元(通配符)"*"apply-path "interfaces <*> unit <*> family inet address <*>" 所代表的意義是:在所有介面所包含的所有子介面上的所有IP位址

以下為範例說明:
[edit]
root@srx100# show system ntp   /* 查看ntp設定 */
boot-server 192.168.3.2;
authentication-key 1 type md5 value "$9$-kboZjHqKvMWLNs4"; ## SECRET-DATA
server 192.168.3.2 key 1 prefer; ## SECRET-DATA
server 192.168.33.2 key 1; ## SECRET-DATA
trusted-key 1;
source-address 172.25.44.132;

[edit]
root@srx100# edit policy-options prefix-list NTP-Servers   /* 編輯動態前綴列表 */

[edit policy-options prefix-list ntp-Servers]
root@srx100# set apply-path "system ntp server <*>"   /* 設定動態前綴列表 */

[edit policy-options prefix-list ntp-Servers]
root@srx100# show   /* 查看動態前綴列表設定結果 */
apply-path "system ntp server <*>";

[edit policy-options prefix-list ntp-Servers]
root@srx100-RE0# show | display inheritance
##    查看Dynamic Prefix-lists擴展後所代表的內容
## apply-path was expanded to:
## 192.168.3.2;
## 192.168.33.2;
##
apply-path "system ntp server <*>";

[edit policy-options prefix-list ntp-Servers]
root@srx100-RE0# top

[edit]
root@srx100# show policy-options prefix-list ipv4-interfaces | display inheritance
##      設備上在所有的介面已給定的IPv4位址或網段都會被列出來
## apply-path was expanded to:
##     150.166.111.0/24;
##     192.168.115.0/24;
##     192.168.116.0/24;
##     192.168.117.0/24;
##     127.0.0.66/32;
##     1.1.100.0/24;
##     192.168.111.0/24;
##
apply-path "interfaces <*> unit <*> family inet address <*>";

[edit]
root@srx100#


上述之命令也能以下列方式來執行:
show system ntp
set policy-options prefix-list NTP-Servers apply-path "system ntp server <*>"
show policy-options prefix-list NTP-Servers
show policy-options prefix-list NTP-Servers | display inheritance


以下為prefix-list BGP使用範例說明:
prefix-list bgp179 {
    apply-path "protocols bgp group <*> neighbor <*>";
}

matjaz@router> show policy-options
prefix-list Router-IPv6 {
    apply-path  "interfaces <*> unit <*> family inet6 address <2*>";
}
matjaz@router> show policy-options prefix-list Router-IPv6 | display inheritance
##
## apply-path was expanded to:
##     2001:***::/112;
##     2001:***::c/126;
##     2001:***::/64;
##     2001:***::1/128;
##
apply-path "interfaces <*> unit <*> family inet6 address <2*>";


以下為prefix-list 的各種使用範例:
policy-options {
    prefix-list Router-IPv4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list BGP-Neighbors {
        apply-path "protocols bgp group <*> neighbor <*>";
    }
    prefix-list Router-IPv4-logical-systms {
        apply-path "logical-systems <*> interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list BGP-Neighbors-logical-systems {
        apply-path "logical-systems <*> protocols bgp group <*> neighbor <*>";
    }
    prefix-list bgp179 {
        apply-path "protocols bgp group <*> neighbor <*>";
    }
    prefix-list IPV4-BGP-NEIGHBORS {
       apply-path "protocols bgp group <*> neighbor <*.*.*.*>";
    }
    prefix-list IPV6-BGP-NEIGHBORS {
       apply-path "protocols bgp group <*> neighbor <*:*:*>";
    }
    prefix-list RADIUS-Servers {
        apply-path "system radius-server <*>";
    }
    prefix-list tacas-Servers {
        apply-path "system tacplus-server <*>";
    }
    prefix-list NTP-server {
        apply-path "system ntp server <*>";
    }
    prefix-list SNMP-client-lists {
        apply-path "snmp client-list <*> <*>";
    }
    prefix-list SNMP-community-clients {
        apply-path "snmp community <*> clients <*>";
    }
    prefix-list LOCALHOST {
        127.0.0.1/32;
    }
    prefix-list NTP-server-peers {
        apply-path "system ntp peer <*>";
    }
    prefix-list dns-Servers {
        apply-path "system name-server <*>";
    }
}



條目注釋:本條目是因為WAN介面配置為DHCP Client,所以我們要開放dhcp port [ 67 68 ]才能讓wan介面取得IP
關於counter名稱的命名方式,為了避免重名及讓人混淆的情況,個人的習慣是用 防火牆過濾器名稱+該條目(term)的名稱 來命名。
我們在這裡要另外說明的部分是關於policer的限速速率。
本例因為是將防火牆過濾器套用在路由引擎上,所以實際頻寬為介面(Interface)速率,而不是入站與出站的網際網路線路頻寬限制。
因為介面頻寬夠大,所以沒有必要將限速速率設定的錙銖必較,太大會有洪泛的可能性,太小也會有業務成長方面的困擾,所以在頻寬夠大的情形之下,預留適當的成長空間是必要的。
而實際的設定,還是要根據您網路環境長期統計的數據而定。
DHCP 伺服器與用戶端是應該要在同一個物理網段內的。 至於整個 DHCP 封包在伺服器與用戶端的來來回回情況有點像底下這樣:




set firewall filter Protect-RE term Allow-DHCP from port [67 68 ]
set firewall filter Protect-RE term Allow-DHCP then policer Limit-1m
set firewall filter Protect-RE term Allow-DHCP then count Protect-RE-Allow-DHCP
set firewall filter Protect-RE term Allow-DHCP then accept




條目注釋:DNS port (53) 您在Console執行traceroute時會用的到
您可以使用內建的port名稱或是埠號53皆可。
Junos內建的port名稱及埠號如下所示:
afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104)

set firewall filter Protect-RE term Allow-DNS from port domain
set firewall filter Protect-RE term Allow-DNS from protocol [ tcp udp ]
set firewall filter Protect-RE term Allow-DNS then policer Limit-1m
set firewall filter Protect-RE term Allow-DNS then count Protect-RE-DNS
set firewall filter Protect-RE term Allow-DNS then accept



條目注釋:本條目為防止TCP SYN 洪泛攻擊。
首先匹配所有BGP鄰居地址,以及管理地址。然後匹配TCP欄位是SYN 或者Fin 或者RST,但是不包含SYN ACKTCP包,最後用QOSPolicer限制突發最多500k
為了防止ICMP洪流(floods)和針對路由引擎的類似攻擊,我們建議針對路由器的限速ICMP流量。 攻擊者可以使用幾種不同類型的ICMP消息來降低路由器功能或掃描機器的性能。 因此,我們建議僅允許正確進行網絡操作和故障排除所需的那些類型的ICMP消息。
另一種常見的攻擊形式是TCP SYN氾濫,攻擊者使用腳本或程式以比受害者釋放更快的速度創建TCP連接請求(SYN消息)。 出於這個原因,我們推薦限速TCP SYN消息。 由於建立TCP連接只需要三次握手,因此可以安全地將傳入SYN資料包的速率限制為1000 Kbps

set firewall filter Protect-RE term Synflood-Protect from source-prefix-list [ OSPF-All-Routers BGP-Neighbors IPv4-Interfaces ]
set firewall filter Protect-RE term Synflood-Protect from protocol tcp
set firewall filter Protect-RE term Synflood-Protect from tcp-flags "(syn & !ack) | fin| rst"
set firewall filter Protect-RE term Synflood-Protect then policer Limit-1m
set firewall filter Protect-RE term Synflood-Protect then count Protect-RE-Synflood
set firewall filter Protect-RE term Synflood-Protect then accept

附加配置:
set policy-options prefix-list BGP-Neighbors apply-path "protocols bgp group <*> neighbor <*>"
此命令用於自動匹配所有全局下BGP鄰居的IP位址,我們再也不用擔心要一個個配地址啦!也避免了疏漏的可能性。
set policy-options prefix-list IPv4-Interfaces apply-path "interfaces <*> unit <*> family inet address <*>"
此命令用於自動匹配路由器設備上配置的所有已給定的IPv4地址。

PS,可能有些朋友對於Junos的這些好玩而高效的特性不太理解,那請移步薑汁啤酒大大寫的另外一篇Juniper JUNOS技術文:回車恐懼症?13 JUNOS 技巧助你輕鬆無憂配置網絡



條目注釋:本條目為允許隔壁鄰居的路由器主動發起BGP到此路由器,目標地址範圍為所有本地路由器的IP位址。
請注意有一條是 「destination-port」,目標埠179 (bgp)。因為這個Firewall filter最終是應用於路由引擎的入方向,所以目標埠179是朝向路由器本身。
set firewall filter Protect-RE term Allow-BGP from source-prefix-list BGP-Neighbors
set firewall filter Protect-RE term Allow-BGP from destination-prefix-list IPv4-Interfaces
set firewall filter Protect-RE term Allow-BGP from protocol tcp
set firewall filter Protect-RE term Allow-BGP from destination-port bgp
set firewall filter Protect-RE term Allow-BGP then count Protect-RE-BGP
set firewall filter Protect-RE term Allow-BGP then accept



條目注釋:本條目為允許OSPF協議
set firewall filter Protect-RE term Allow-OSPF from source-prefix-list IPv4-Interfaces
set firewall filter Protect-RE term Allow-OSPF from destination-prefix-list OSPF-All-Routers
set firewall filter Protect-RE term Allow-OSPF from destination-prefix-list IPv4-Interfaces
set firewall filter Protect-RE term Allow-OSPF from protocol ospf
set firewall filter Protect-RE term Allow-OSPF then count Protect-RE-OSPF
set firewall filter Protect-RE term Allow-OSPF then accept



條目注釋:本條目為允許ipsec數據包,並限速5Mbps
vpn會使用到的port numbers
網際網路安全協定IPSec - Internet Protocol Security): 使用IP協議50(IP protocol 50)用於封裝安全協議(ESP - Encapsulated Security Protocol),IP協議51用於認證頭(AH - Authentication Header),以及UDP端口500用於IKE階段1協商和階段2協商。如果NAT-T用於IKE階段1協商和階段2協商,則使用UDP端口5004500
安全通訊協定SSL - Secure Sockets Layer): 使用TCP端口443,並通過使用私鑰來加密通過SSL連接傳輸的數據。 SSL還使用465安全SMTP993安全IMAP995安全POP
第二層隧道協議(L2TP - Layer Two Tunneling Protocol): 使用TCP端口1701,是點對點隧道協議的擴展。 L2TP通常與IPSec一起用於建立虛擬專用網絡(VPN)。
點對點隧道協議(PPTP - Point-to-Point Tunneling Protocol): 使用TCP端口1723IP端口47通用路由封裝(GRE)。 PPTP通過Internet提供與企業網絡的低成本私有連接。 PPTP適用於在家或旅行中工作並需要訪問其公司網絡的人員。它通常用於訪問Microsoft遠程訪問服務器(RAS
上述內容為各種vpn會使用到的port numbers,其中關於L2TP的部分要補充說明,由於L2TP 協定使用時常常會跟IPSec一起使用(L2TP Over IPSec),所以我們就要將L2TPPortsIPSecPorts一併開放才行。

set firewall filter Protect-RE term Allow-IPSec from source-prefix-list IPSec-Peer-Addresses
set firewall filter Protect-RE term Allow-IPSec from protocol [ ah esp ]
set firewall filter Protect-RE term Allow-IPSec then policer Limit-5m
set firewall filter Protect-RE term Allow-IPSec then count Protect-RE-IPSec
set firewall filter Protect-RE term Allow-IPSec then accept

set firewall filter Protect-RE term Allow-IPSec-UDP from source-prefix-list IPSec-Peer-Addresses
set firewall filter Protect-RE term Allow-IPSec-UDP from protocol udp
set firewall filter Protect-RE term Allow-IPSec-UDP from port [ 500 4500 ]
set firewall filter Protect-RE term Allow-IPSec-UDP then policer Limit-5m
set firewall filter Protect-RE term Allow-IPSec-UDP then count Protect-RE-IPSec-UDP
set firewall filter Protect-RE term Allow-IPSec-UDP then accept



條目注釋:本條目為允許SSH協議,而且通過Policer限速最高5MbpsSSH流量。
set firewall filter Protect-RE term Allow-SSH from source-prefix-list Mgmt-nets
set firewall filter Protect-RE term Allow-SSH from protocol tcp
set firewall filter Protect-RE term Allow-SSH from destination-port ssh
set firewall filter Protect-RE term Allow-SSH then policer Limit-5m
set firewall filter Protect-RE term Allow-SSH then count Protect-RE-SSH
set firewall filter Protect-RE term Allow-SSH then accept



條目注釋:本條目為允許SNMP協議,限速1Mbps
set firewall filter Protect-RE term Allow-SNMP from source-prefix-list SNMP-Servers
set firewall filter Protect-RE term Allow-SNMP from protocol udp
set firewall filter Protect-RE term Allow-SNMP from destination-port snmp
set firewall filter Protect-RE term Allow-SNMP then policer Limit-1m
set firewall filter Protect-RE term Allow-SNMP then count Protect-RE-SNMP
set firewall filter Protect-RE term Allow-SNMP then accept



條目注釋:本條目為允許NTP協議,限速500kbps
set firewall filter Protect-RE term Allow-NTP from source-prefix-list NTP-Servers
set firewall filter Protect-RE term Allow-NTP from source-prefix-list LOCALHOST
set firewall filter Protect-RE term Allow-NTP from protocol udp
set firewall filter Protect-RE term Allow-NTP from destination-port ntp
set firewall filter Protect-RE term Allow-NTP then policer Limit-500k
set firewall filter Protect-RE term Allow-NTP then count Protect-RE-NTP
set firewall filter Protect-RE term Allow-NTP then accept



條目注釋:本條目為允許Radius協議,限速1000kbps
遠端用戶撥入驗證服務RADIUS, Remote Authentication Dial In User Service)是一個AAA協議,意思就是同時兼顧驗證(authentication)、授權(authorization)及計費(accounting)三種服務的一種網路傳輸協議(protocol),通常用於網路存取、或流動IP服務,適用於區域網路及漫遊服務。
RADIUS的早期部署是使用UDP端口號1645完成的,該端口與“datametrics”服務衝突。 由於這種衝突,RFC 2865正式為RADIUS分配了端口號1812
大多數Cisco設備的RADIUS計費端口是1646,但它也可以是1813(因為RFC 2139中指定的端口更改)。
早期的RADIUS用戶驗證管理使用1645, 1646 port,而現今的RADIUS則多用1812, 1813 port
set firewall filter Protect-RE term Allow-RADIUS from source-prefix-list radiusservers
set firewall filter Protect-RE term Allow-RADIUS from protocol udp
set firewall filter Protect-RE term Allow-RADIUS from source-port [ radius radacct 1645 1646 ]
set firewall filter Protect-RE term Allow-RADIUS then policer Limit-1m
set firewall filter Protect-RE term Allow-RADIUS then count Protect-RE-RADIUS
set firewall filter Protect-RE term Allow-RADIUS then accept



條目注釋:本條目為限制ICMP分段包
互聯網控制訊息協定(ICMP - Internet Control Message Protocol) 提供了錯誤報告和網路偵查的功能。由於ICMP 資料包包含的資訊很短,因此沒有合法理由將ICMP 資料包分成片段。如果ICMP 資料包太大,必須分成片段,則可能有問題。
set firewall filter Protect-RE term ICMP-frags from is-fragment
set firewall filter Protect-RE term ICMP-frags from protocol icmp
set firewall filter Protect-RE term ICMP-frags then syslog
set firewall filter Protect-RE term ICMP-frags then count Protect-RE-ICMP-frags
set firewall filter Protect-RE term ICMP-frags then discard

防火牆過濾器Bit-Field的匹配條件
匹配條件
說明
帶變量的條件(Conditions with Variables)
fragment-flags number
IP分段旗標(flags)。(僅限入口)匹配IP標頭中的三位元IP分段旗標欄位。
 
您可以指定以下的別名(也列出欄位值)來代替數字欄位值:

 
dont-fragment (0x4), more-fragments (0x2), or reserved (0x8)
ip-options number
8位元的IP選項欄位(如果存在)與指定的值或值的表列(list of values)進行匹配。
您可以指定以下的別名(也列出欄位值)來代替數值:

 
loose-source-route (131), record-route (7), router-alert (148), strict-source-route (137), or timestamp (68).
tcp-flags number
TCP旗標(flags)。 通常,您將此匹配與協議匹配語句一起指定,來確定會在此埠上使用的協議。 您可以指定以下文本同義詞之一(也列出欄位值)來代替數值:
 
ack (0x10), fin (0x01), push (0x08), rst (0x04), syn (0x02), or urgent (0x20).
匹配IP選項的任何值,請使用關鍵字any
要匹配多個值,請在方括號內指定值的列表 [
ack fin syn ]
要匹配一系列值,請使用值規範 [ value1-value2 ]
文本同義詞(Text Synonyms)
first-fragment
如果數據包是分段數據包的第一個片段,則匹配。
如果數據包是碎片數據包的尾隨片段,則不匹配。
此條件與未分段的數據包不匹配。
分段數據包的第一個片段的片段偏移值(fragment offset value)0
等同bit-field匹配條件中的fragment-offset 0
要匹配第一個和尾隨片段(trailing fragment),您可以使用兩個指定不同匹配條件的條目(term)first-fragmentis-fragment
is-fragment
如果數據包是分段數據包的尾隨片段,則條件匹配。不匹配分段數據包的第一個片段。
等同bit-field匹配條件中的fragment-offset 0 except
注意:要匹配第一個和尾隨片段(trailing fragment),您可以使用兩個指定不同匹配條件的條目(first-fragmentis-fragment)。
tcp-established
匹配(match)已建立的TCP會話的第一個TCP數據包之後的TCP數據包。
等同匹配條件:tcp-flags "(ack | rst)"
此條件不會隱式檢查協議是否為TCP。如果您要配置這個匹配條件,我們建議您在同一個條目(term)中加入protocol tcp匹配條件。
tcp-initial
匹配已建立的TCP會話的第一個TCP數據包(TCP連線的初始數據包)
等同匹配條件tcp-flags "(!ack & syn)"
此條件不會隱式檢查協議是否為TCP。如果您要配置這個匹配條件,我們建議您在同一個條目(term)中加入protocol tcp匹配條件。




條目注釋:本條目為允許常見ICMP訊息,並限制其流量不能超過1Mbps
您可以使用內建的ICMP類型名稱或是其欄位值皆可。
Junos內建的ICMP類型名稱或是其欄位值如下所示:
echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

set firewall filter Protect-RE term Allow-ICMP from protocol icmp
set firewall filter Protect-RE term Allow-ICMP from icmp-type [ echo-request echo-reply unreachable time-exceeded ]
set firewall filter Protect-RE term Allow-ICMP then policer Limit-1m
set firewall filter Protect-RE term Allow-ICMP then count Protect-RE-ICMP
set firewall filter Protect-RE term Allow-ICMP then accept



條目注釋:本條目為允許數據包分段但限制其流量大小
set firewall filter Protect-RE term Allow-fragments from source-address 0.0.0.0/0
set firewall filter Protect-RE term Allow-fragments from is-fragment
set firewall filter Protect-RE term Allow-fragments then policer Limit-1m
set firewall filter Protect-RE term Allow-fragments then count Protect-RE-fragments
set firewall filter Protect-RE term Allow-fragments then accept



條目注釋:本條目為允許常見Traceroute消息,並限速1Mbps
set firewall filter Protect-RE term Allow-traceroute from protocol udp
set firewall filter Protect-RE term Allow-traceroute from destination-port 33434-33523
set firewall filter Protect-RE term Allow-traceroute then policer Limit-1m
set firewall filter Protect-RE term Allow-traceroute then count Protect-RE-Traceroute
set firewall filter Protect-RE term Allow-traceroute then accept



條目注釋:本條目為允許路由器發起的SSHBGP能夠被允許返迴路由器。
因為tcp-established匹配條件是要匹配(match)已建立起TCP會話的第一個TCP數據包之後的TCP數據包。也就是對已已建立起TCP會話的SSHBGP流量都能符合匹配條件。
由於JuniperFirewall Filters就類似於Cisco ACL,是屬於無狀態防火牆,所以返回路由器的流量還需要明確指定才行,我們還另外限制其流量不能超過5Mbps
set firewall filter Protect-RE term TCP-established from protocol tcp
set firewall filter Protect-RE term TCP-established from source-port [ ssh bgp ]
set firewall filter Protect-RE term TCP-established from TCP-established
set firewall filter Protect-RE term TCP-established then policer Limit-5m
set firewall filter Protect-RE term TCP-established then count Protect-RE-TCP-established
set firewall filter Protect-RE term TCP-established then accept





下列為上述filter會呼叫到的限速管制器(Policers)的設定
個人的習慣用法是預先設定不同級距的限速管制器,然後在需要時來呼叫它。
本例因為是將防火牆過濾器套用在路由引擎上,所以實際頻寬為介面(Interface)速率,而不是入站與出站的網際網路線路頻寬限制。
關於burst-size-limit的大小,個人習慣配置為bandwidth-limit的百分之一大小,但最小不要小於MTU10倍,通常是15k
若您的網路屬於繁忙的大流量網路環境,則請參考下面的網路連結之標準作法來設定。

set firewall policer Limit-30m if-exceeding bandwidth-limit 30m
set firewall policer Limit-30m if-exceeding burst-size-limit 300k
set firewall policer Limit-30m then discard
set firewall policer Limit-20m if-exceeding bandwidth-limit 20m
set firewall policer Limit-20m if-exceeding burst-size-limit 200k
set firewall policer Limit-20m then discard
set firewall policer Limit-15m if-exceeding bandwidth-limit 15m
set firewall policer Limit-15m if-exceeding burst-size-limit 150k
set firewall policer Limit-15m then discard
set firewall policer Limit-10m if-exceeding bandwidth-limit 10m
set firewall policer Limit-10m if-exceeding burst-size-limit 100k
set firewall policer Limit-10m then discard
set firewall policer Limit-5m if-exceeding bandwidth-limit 5m
set firewall policer Limit-5m if-exceeding burst-size-limit 50k
set firewall policer Limit-5m then discard
set firewall policer Limit-3m if-exceeding bandwidth-limit 3m
set firewall policer Limit-3m if-exceeding burst-size-limit 30k
set firewall policer Limit-3m then discard
set firewall policer Limit-1m if-exceeding bandwidth-limit 1m
set firewall policer Limit-1m if-exceeding burst-size-limit 15k
set firewall policer Limit-1m then discard
set firewall policer Limit-500k if-exceeding bandwidth-limit 500k
set firewall policer Limit-500k if-exceeding burst-size-limit 15k
set firewall policer Limit-500k then discard
set firewall policer Limit-300k if-exceeding bandwidth-limit 300k
set firewall policer Limit-300k if-exceeding burst-size-limit 15k
set firewall policer Limit-300k then discard
set firewall policer Limit-100k if-exceeding bandwidth-limit 100k
set firewall policer Limit-100k if-exceeding burst-size-limit 15k
set firewall policer Limit-100k then discard


關於burst-size-limit的計算請參考下列之網路連結:



過濾器注釋:本過濾器為限定只有特定的IP或網段(prefix-list Mgmt-nets),才能從遠端來管理Juniper SRX設備。
並且我們還限定了只能使用ssh或是https服務,其他非prefix-list Mgmt-nets之中所列的IP,凡是要接觸設備telnethttpsshhttps服務端口的流量一律拒絕。
而我們在這裡會產生一個疑問,既然我們限定了只能使用ssh或是https服務來進行遠端管理,為何我們還要另外開放http服務呢? 這是因為如果我們不開放的話會導致https J-Web的部分功能無法使用,且會出現錯誤訊息,因此我們才會特別另外開放了http服務。
另外我們還可以在system services之中刪除telnethttp的服務,或是在wan介面的host-inbound-traffic中剔除telnethttp的服務,也能達到禁止使用telnethttp服務的多重效果。
之前本條目(term)是合併在filter Protect-RE裡面,但是為了方便管理及區別,以及說明intup-list命令,我們將其獨立出來個別建立一個名為Management-ACL的防火牆過濾器(firewall filter),其中最後一個條目accept_all很重要,在開放和阻擋目標流量之後,記得要放行所有的流量,否則容易造成後續的流量無法通行的情況。
filter Protect-RE設計的觀念又不同,在開放所有允許的流量之後,將所有不允許的流量通通阻擋,也因此讓filter Protect-RE的設計與維護變得更加的困難,您必須確定所有用的到的流量都有開放,否則勢必會有部分的網路功能因為沒有被開放到而不能使用,但幸好我們只是將filter Protect-RE套用在路由引擎上面,而不是一般的入、出口介面上,所以並不會影響到一般的網路訪問行為,只有在當您要訪問的對象是SRX網路設備本身時才會受到filter Protect-RE的影響。

set firewall filter Management-ACL term Allow_IP from source-prefix-list Mgmt-nets
set firewall filter Management-ACL term Allow_IP from protocol tcp
set firewall filter Management-ACL term Allow_IP from port [ ssh https telnet http ]
set firewall filter Management-ACL term Allow_IP then count Management-ACL-Allow_IP
set firewall filter Management-ACL term Allow_IP then accept

set firewall filter Management-ACL term Deny_IP from protocol tcp
set firewall filter Management-ACL term Deny_IP from port [ ssh https telnet http ]
set firewall filter Management-ACL term Deny_IP then syslog
set firewall filter Management-ACL term Deny_IP then count Management-ACL-Deny_IP
set firewall filter Management-ACL term Deny_IP then discard

## set firewall filter Management-ACL term accept_all then accept 本條目不可設定,原因請參考下面input-list之說明




過濾器注釋:本過濾器為禁止NetBIOS協定
本條目僅在示範用途。
NetBIOS Win 98, NT 4, 2000, XP 等作業系統預設上自動開啟的分享服務,例如網路上的芳鄰或共享資料夾等,使用者可以經過遠端方式存取本機電腦,預設包括 IPC$, C$, Admin$ share基本上這是一個非常方便的資源,但由於它可以遠端連線存取,我們也必須顧慮到安全上的問題,所以我們要在防火牆上禁止NETBIOS流量,讓NETBIOS流量只在區網中運行!
NETBIOS相關 Ports顯示如下:
UDP Ports
137    NetBIOS Name Service Windows Internet Naming Service (WINS)
138    NetBIOS Datagram distribution service
TCP Ports
139    NetBIOS Session Service

set firewall filter Discard-NetBIOS term Discard-NetBIOS from protocol [ tcp udp ]
set firewall filter Discard-NetBIOS term Discard-NetBIOS from destination-port [ 137 138 139 ]
set firewall filter Discard-NetBIOS term Discard-NetBIOS then count Discard-NetBIOS
set firewall filter Discard-NetBIOS term Discard-NetBIOS then log
set firewall filter Discard-NetBIOS term Discard-NetBIOS then discard

## set firewall filter Discard-NetBIOS term Accept-All then accept 本條目不可設定,原因請參考下面input-list之說明

若您要查看log紀錄,請執行下列之命令:
user@host> show firewall log
content_copy zoom_out_map
Time      Filter    Action Interface     Protocol  Src Addr      Dest Addr      
13:10:12  pfe       D      rlsq0.902     ICMP      192.0.2.2   192.0.2.1                  
13:10:11  pfe       D      rlsq0.902     ICMP      192.0.2.2   192.0.2.1




過濾器注釋:本過濾器為防火牆過濾器的最後一個條目,您可以設定成accept all或是reject all的方式。
因為我們要使用input-list命令在介面上套用多個過濾器(filters),為了方便維護,我們在所有的過濾器中都不設定accept all或是reject all條目,只在input-list的最後面加上下列之過濾器,即可形成功能完整的防火牆過濾器。
關於acceptdiscardreject的用途請自行參考下列之表格說明。
Accept all
set firewall filter Accept-All term 1 from source-address 0.0.0.0/0
set firewall filter Accept-All term 1 then syslog
set firewall filter Accept-All term 1 then count Filter-Accept-All
set firewall filter Accept-All term 1 then accept

Discard all
set firewall filter Discard-All term 1 from source-address 0.0.0.0/0
set firewall filter Discard-All term 1 then syslog
set firewall filter Discard-All term 1 then count Filter-Discard-All
set firewall filter Discard-All term 1 then discard

Reject all
set firewall filter Reject-All term 1 from source-address 0.0.0.0/0
set firewall filter Reject-All term 1 then syslog
set firewall filter Reject-All term 1 then count Filter-Reject-All
set firewall filter Reject-All term 1 then reject



reject的作用是丟棄數據包,並發送ICMP目的地不可達訊息(network-unreachable)
或者您還可以將發送訊息指定為以下消息代碼的其中之一:
root@srx100a# set firewall filter Reject-All term 1 then reject ?
Possible completions:
  <[Enter]>            Execute this command
  administratively-prohibited  Send ICMP Administratively Prohibited message
  bad-host-tos         Send ICMP Bad Host ToS message
  bad-network-tos      Send ICMP Bad Network ToS message
  fragmentation-needed  Send ICMP Fragmentation Needed message
  host-prohibited      Send ICMP Host Prohibited message
  host-unknown         Send ICMP Host Unknown message
  host-unreachable     Send ICMP Host Unreachable message
  network-prohibited   Send ICMP Network Prohibited message
  network-unknown      Send ICMP Network Unknown message
  network-unreachable  Send ICMP Network Unreachable message
  port-unreachable     Send ICMP Port Unreachable message
  precedence-cutoff    Send ICMP Precedence Cutoff message
  precedence-violation  Send ICMP Precedence Violation message
  protocol-unreachable  Send ICMP Protocol Unreachable message
  source-host-isolated  Send ICMP Source Host Isolated message
  source-route-failed  Send ICMP Source Route Failed message
  tcp-reset            Send TCP Reset message
  |                    Pipe through a command
[edit]
root@srx100a#


防火牆過濾器條件匹配時可進行的操作行為
Firewall Filter Actions
操作
說明
accept
接受數據包。這是默認設置。
discard
靜默丟棄數據包,不發送ICMP消息。丟棄的數據包不可用於記錄(logging)或採樣(sampling)
reject <message-type>
丟棄數據包,並發送ICMP目的地不可達訊息(network-unreachable)
這些被拒絕的數據包可以被記錄或採樣。
您還可以將發送訊息指定為以下消息代碼的其中之一:
administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.
如果您指定了tcp-reset,則會返回TCP數據包的TCP重置訊息。否則,將不會返回任何內容。
routing-instance routing-instance
指定用來轉發數據包的路由表。

防火牆過濾器的操作修改器
Firewall Filter Action Modifiers
操作修改器
說明
count counter-name
增加此過濾器的計數器。 名稱可以包含字母,數字和連字符( - ),最長可達24個字符。 計數器名稱特定於使用它的過濾器,因此使用相同過濾器的所有接口都計入同一個計數器。
forwarding-class class-name
指定特定的轉發類別。
ipsec-sa sa-name
為數據包指定IPSec安全關聯(SA - security association)。 與來源地址和目標地址匹配條件一起使用。
log
在路由引擎中記錄數據包的標頭信息。 您可以從CLI訪問此信息,但無法從網絡管理中獲取。
loss-priority priority
將數據包丟失優先級(PLP - packet loss priority)設置為任何,低或高(any, low, or high)
policer policer-name
使用指定的管制器(policer)來對流量應用速率限制。
sample
對接口上的流量進行採樣。 僅在啟用流量採樣時才使用此修改器(modifier)
syslog
記錄此數據包的警報(alert)。 可以將日誌發送到服務器進行存儲和分析之用。






應用過濾器
Juniper設備上,lo0接口設計比較巧妙,他除了大家知道例如router-id,或者永不down的接口等常用功能以外。更重要的是,它是通往路由引擎的特殊通道。如果你想限制到達路由引擎的流量,相比Cisco使用control-plane policy,你只需要在Juniperlo0上綁定一個Firewall Filters即可。
完成firewall Filters的配置以後,讓我們把過濾器應用到環迴lo0介面上,從而限制了能到達路由引擎的流量。
我們在此補充下:由於我們只是將過濾器應用到環迴lo0介面上,而不是wan介面上,所以並不會影響到正常的網路流量,只有當數據包的目的地是Juniper SRX設備本身時才會觸發Protect-RE過濾器。
set interfaces lo0 unit 0 family inet filter input Protect-RE

但是這時候問題來了,input命令只允許我們輸入一個過濾器,那我們又要如何在同一個介面上套用兩個不同的firewall filter? 讓我們先執行下列的命令來查看:
root@srx100# set interfaces lo0 unit 0 family inet filter ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  group                Group to which interface belongs (1..255)
> input                Filter to be applied to received packets
+ input-list           List of filter modules applied to received packets
> output               Filter to be applied to transmitted packets
+ output-list          List of filter modules applied to transmitted packets
[edit]
root@srx100#

原來我們還可以使用input-list命令來將兩個以上的firewall filter套用在同一個介面上。
set interfaces lo0 unit 0 family inet filter input-list [ Management-ACL Protect-RE Discard-All ]
commit


我們可以執行下列命令來查看結果:
root@srx100# show interfaces lo0
unit 0 {
    family inet {
        filter {
            input-list [ Management-ACL Protect-RE Discard-All ];
        }
        address 127.0.0.66/32;
    }
}
[edit]
root@srx100#

關於inputinput-list命令的差異我們已經在本篇的開頭討論過,因此在這裡我們要仔細考慮的問題是不同的firewall filter之間的相互衝突,以及在介面上的套用順序等問題。
input-list命令裡諸多的filters,其中每個條目(term)的匹配條件必須為唯一的,以避免後面具有相同或相似匹配條件的條目無法被執行,有時我們為了模組化套用過濾器而難以避免,但您必須注意到是否有該執行的工作因為條目相衝突而無法被執行,所以我們通常會為每個條目建立專有的計數器,好讓我們能觀察其是否有被執行與執行次數的多寡。

假設您有ABCDE五個過濾器要套用在介面上,這五個過濾器加起來共有150個條目(按照input-list順序),那麼您可將其看成是一個擁有150個條目的過濾器,它會逐條的去比對每個條目,如果條件匹配則對此數據包執行設定的操作,然後再換下一個數據包從頭開始比對;而若是都沒有匹配的條目,則會根據設定對此數據包進行丟棄(discard)或是放行(accept)的動作。又前149個條目中不可以有無匹配條件執行的條目,或者是設定的匹配條件範圍包含太廣、太攏統(例如匹配條件只設定protocal tcp),那都會讓後續的條目無法正常的運作的。

但也是有例外的幾種情況,例如下面所示:
        term Limit-In-bound-20m {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then {
                policer Limit-20m;
                next term;
            }
        }
也就是不標誌accept,而是用next term取代即可(繼續執行下一個條目)

或是如下列之情形:
    filter CoS-NC-Cf {
        term Telnet-SSH-BGP {
            from {
                protocol tcp;
                port [ telnet ssh bgp ];
            }
            then {
                count CoS-NC-Cf-Telnet-SSH-BGP;
                loss-priority low;
                forwarding-class Network-Control;
            }
        }
    }
一樣不標誌accept,只執行相應的工作。
通常只要我們執行操作時不為數據包進行acceptdiscardreject標誌作業,則封包依然會繼續比對或執行下一個條目,一直到被acceptdiscardreject,或是一直到最後一個條目,根據設定對此數據包進行丟棄(discard)或是放行(accept)的動作。

但是要注意不要有下列沒有匹配條件之狀況:
        term Limit-In-bound-20m {
            then {
                policer Limit-20m;
                next term;
            }
        }
此狀況會導致show firewall時,此條目之後的counter無法被列出。


而此刻我們又有一個新的問題產生,如果我們又有兩個新的firewall filter要套用在lo0介面上,那麼我們又該如何做呢? 您可以執行下列之命令來調整順序即可。

[edit]
root@srx100aedit interfaces lo0 unit 0 family inet

[edit interfaces lo0 unit 0 family inet]
root@srx100ashow filter
input-list [ Management-ACL Protect-RE Discard-All ];

[edit interfaces lo0 unit 0 family inet]
root@srx100ainsert filter input-list ?
Possible completions:
  Accept-All           [firewall filter]
  CoS-MF-Cf            [firewall filter]
  CoS-NC-Cf            [firewall filter]
  CoS-VPN-Cf           [firewall filter]
  CoS-Voice-Cf         [firewall filter]
  CoS-strict-high-limit  [firewall filter]
  Discard-All          [firewall filter]
  In-bound             [firewall filter]
  Management-ACL       [firewall filter]
  Out-bound            [firewall filter]
  Protect-RE           [firewall filter]
  Reject-All           [firewall filter]
[edit interfaces lo0 unit 0 family inet]
root@srx100ainsert filter input-list In-bound ?
Possible completions:
  after                Insert after given data element
  before               Insert before given data element
[edit interfaces lo0 unit 0 family inet]
root@srx100ainsert filter input-list In-bound before Management-ACL

[edit interfaces lo0 unit 0 family inet]
root@srx100ashow filter
input-list [ In-bound Management-ACL Protect-RE Discard-All ];

[edit interfaces lo0 unit 0 family inet]
root@srx100ainsert filter input-list CoS-Voice-Cf after Management-ACL

[edit interfaces lo0 unit 0 family inet]
root@srx100ashow filter
input-list [ In-bound Management-ACL CoS-Voice-Cf Protect-RE Discard-All ];

[edit interfaces lo0 unit 0 family inet]
root@srx100atop

[edit]
root@srx100acommit




設定系統日誌
因為我們要觀察防火牆過濾器設定後的影響,所以設定系統日誌是必要不可或缺的。
我們可以將firewall filters相關的系統日誌紀錄,單獨存放在個別的檔案之中

/*  設定將防火牆過濾器產生的日誌單獨存放到Firewall-filters檔案中  */
set system syslog file Firewall-filters firewall any
set system syslog file Firewall-filters archive size 10m files 3

/*  設定將記錄通訊流量的日誌單獨存放到Traffic-log檔案中  */
set system syslog file Traffic-log any any
set system syslog file Traffic-log match RT_FLOW_SESSION
set system syslog file Traffic-log archive size 10m files 3

/*  設定將通訊流量記錄轉發到遠端系統日誌伺服器192.168.1.11上  */
/*  我們可以在PC上使用tftpd64程式來接收並查看即時的syslog訊息,記得電腦上的防火牆要開放port 514才行*/
set system syslog host 192.168.1.11 port 514  
set system syslog host 192.168.1.11 log-prefix SRX100-A

接下來我們有兩種設定的方式,方法一:只顯示防火牆過濾器訊息
set system syslog host 192.168.1.11 firewall any
方法依據小弟的經驗,只要是有跳出來訊息,就表示有異常,您就要想辦法找出問題並解決他。正常的狀態下防火牆過濾器並不會產生系統日誌紀錄。但這是有前提的,當您列出命令時是要長這樣:
        host 192.168.1.11 {
            firewall any;
            log-prefix SRX100-A;
            port 514
        }

而不是長這樣:
        host 192.168.1.11 {
            any any;     /* 多這行就會多出很多很多的即時訊息的。  */
            firewall any;
            log-prefix SRX100-A;
            port 514
        }


方法二:顯示防火牆過濾器訊息及通訊流量記錄
set system syslog host 192.168.1.11 any any
set system syslog host 192.168.1.11 match "(PFE_FW_SYSLOG|RT_FLOW_SESSION)"
您列出命令時是要長這樣:
        host 192.168.1.11 {
            any any;
             match "(PFE_FW_SYSLOG|RT_FLOW_SESSION)";
            log-prefix SRX100-A;
            port 514
        }


當我們要查看日誌訊息時:
root@srx100a> show log F?
Possible completions:
  <filename>           Name of log file
  Firewall-filters     Size: 77276, Last changed: Oct 03 01:58:40
root@srx100a> show log Firewall-filters | match 00:57 | match ospf
Oct  3 00:57:07  srx100a srx100a PFE_FW_SYSLOG_IP: FW: st0.0        A ospf 1.1.100.2 1.1.100.1     0     0 (1 packets)
Oct  3 00:57:15  srx100a srx100a PFE_FW_SYSLOG_IP: FW: st0.0        A ospf 1.1.100.2 1.1.100.1     0     0 (1 packets)
Oct  3 00:57:23  srx100a srx100a PFE_FW_SYSLOG_IP: FW: st0.0        A ospf 1.1.100.2 1.1.100.1     0     0 (1 packets)
root@srx100a>


關於系統日誌的詳細設定請參考下列之網路連結:





後記
在小弟測試過程之中,發現Protect-RE的計數器沒有運作(顯示0),可是IPSecOSPF卻實際在設備中運行,於是便將這兩個條目添加到出站與入站的管制器(Policers)中,結果如下:
root@srx100a> show firewall filter In-bound
Filter: In-bound                                               
Counters:
Name                                       Bytes              Packets
In-bound                                  572096                 4228
In-bound-IPsec                            566200                 4163
In-bound-IPsec-udp                          4408                   29
In-bound-OSPF                               6200                   63
Policers:
Name                                       Bytes              Packets
Limit-20m-Limit-20m                                                 0

結果顯示了條目匹配條件可用,計數器也正常,且IPSecOSPF也在系統中正常運行中,但是Protect-RE關於IPSecOSPF的計數器卻仍然顯示0,在經過努力的試驗之後,最終發現問題出在小弟在過濾器Management-ACL的最後一個條目設定成discard all,導致了後續的過濾器無法被執行,因此對本篇文章加以補充說明,並加入了排錯命令及相關功能之設定,在此提供給大家參考。

另外補充另一本書中的相關內容來供大家參考比較之用。
若大家有任何寶貴的經驗,也可email給小弟查理王(taiwankid168@gmail.com),小弟會萬分感激您的,感謝您!!





補充一
下列為網路上找到的IPv6相關的Protect-RE設定,提供給大家參考之用。

policy-options {
    prefix-list IBGP-IPv6-NEIGHBORS {
        2001:DB8:1::/48;
    }
    prefix-list EBGP-IPv6-NEIGHBORS {
        2001:DB8:100::25/128;
        2001:DB8:100::27/128;
        2001:DB8:100::29/128;
        2001:DB8:100::31/128;
    }
    prefix-list RADIUS-IPv6-SERVERS {
        2001:DB8:100::9/128;
        2001:DB8:100::10/128;
    }
}

firewall {
    family inet6 {
        filter Protect-RE-IPv6 {
            term Fragv6 {
                from {
                    next-header fragment;
                }
                then {
                    count Frag-v6-discards;
                    log;
                    discard;
                }
            }
            term ICMP-IPv6 {
                from {
                    next-header icmpv6;
                }
                then {
                    policer 500kbps; 
                    accept;
                }
            }
            term OSPFv3 {
                from {
                    source-address {
                        FE80::/10;
                    }
                    next-header ospf;
                }
                then accept;
            }
            term IBGP-IPv6-connect {
                from {
                    source-prefix-list {
                        IBGP-IPv6-NEIGHBORS;
                    }
                    next-header tcp;
                    destination-port bgp;
                }
                then accept;
            }
            term IBGP-IPv6-reply {
                from {
                    source-prefix-list {
                        IBGP-IPv6-NEIGHBORS;
                    }
                    next-header tcp;
                    port bgp;
                }
                then accept;
            }
            term EBGP-IPv6-connect {
                from {
                    source-prefix-list {
                        EBGP-IPv6-NEIGHBORS;
                    }
                    next-header tcp;
                    destination-port bgp;
                }
                then accept;
            }
            term EBGP-IPv6-reply {
                from {
                    source-prefix-list {
                        EBGP-IPv6-NEIGHBORS;
                    }
                    next-header tcp;
                    port bgp;
                }
                then accept;
            }
            term DNS-IPv6 {
                from {
                    source-address {
                       2001:DB8:100:1::/64;
                       }
                    next-header [ udp tcp ];
                    port domain;
                }
                then accept;
            }
            term NTP-IPv6 {
                from {
                    source-address {
                        2001:DB8:100:2::/64;
                    }
                    next-header udp;
                    destination-port ntp;
                }
                then accept;
            }
            term SSH-IPv6 {
                from {
                    source-address {
                        2001:DB8:100:3::/64;
                    }
                    next-header tcp;
                    destination-port ssh;
                }
                then accept;
            }
            term SNMP-IPv6 {
                from {
                    source-address {
                        2001:DB8:100:3::/64;
                    }
                    next-header udp;
                    destination-port snmp;
                }
                then accept;
            }
            term RADIUS-IPv6 {
                from {
                    source-prefix-list {
                        RADIUS-IPv6-SERVERS;
                    }
                    next-header udp;
                    port [ 1812 1813 ];
                }
                then accept;
            }
        }
    }
}

interfaces {
    lo0 {
        unit 0 {
            family inet6 {
                filter {
                    input Protect-RE-IPv6;
                }
            }
        }
    }
}







補充二
除了上述之方法外,您也可以參考Juniper MX Series一書中Chapter 4. Routing Engine Protection and DDoS Prevention的方法。
內容就不多敘述了,請自行參考。

root@srx100# show policy-options | no-more
prefix-list Router-IPv4 {
    apply-path "interfaces <*> unit <*> family inet address <*>";
}
prefix-list BGP-Neighbors {
    apply-path "protocols bgp group <*> neighbor <*>";
}
prefix-list OSPF {
    224.0.0.5/32;
    224.0.0.6/32;
}
prefix-list RFC1918 {
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
}
prefix-list RIP {
    224.0.0.9/32;
}
prefix-list VRRP {
    224.0.0.18/32;
}
prefix-list Multicast-All-Routers {
    224.0.0.2/32;
}
prefix-list Router-IPv4-logical-systems {
    apply-path "logical-systems <*> interfaces <*> unit <*> family inet address
    <*>";
}
prefix-list BGP-Neighbors-logical-systems {
    apply-path "logical-systems <*> protocols bgp group <*> neighbor <*>";
}
prefix-list RADIUS-servers {
    apply-path "system radius-server <*>";
}
prefix-list Tacas-servers {
    apply-path "system tacplus-server <*>";
}
prefix-list NTP-server {
    apply-path "system ntp server <*>";
}
prefix-list SNMP-client-lists {
    apply-path "snmp client-list <*> <*>";
}
prefix-list SNMP-community-clients {
    apply-path "snmp community <*> clients <*>";
}
prefix-list LocalHost {
    127.0.0.1/32;
}
prefix-list NTP-server-peers {
    apply-path "system ntp peer <*>";
}
prefix-list DNS-servers {
    apply-path "system name-server <*>";
}

[edit]
root@srx100# show firewall family inet | no-more
prefix-action Management-police-set { /* OMITTED */ };
prefix-action Management-high-police-set { /* OMITTED */ };
filter Accept-BGP { /* OMITTED */ };
filter Accept-OSPF { /* OMITTED */ };
filter Accept-RIP { /* OMITTED */ };
filter Accept-VRRP { /* OMITTED */ };
filter Accept-SSH { /* OMITTED */ };
filter Accept-SNMP { /* OMITTED */ };
filter Accept-NTP { /* OMITTED */ };
filter Accept-WEB { /* OMITTED */ };
filter Discard-All { /* OMITTED */ };
filter Accept-Traceroute { /* OMITTED */ };
filter Accept-IGP { /* OMITTED */ };
filter Accept-Common-Services { /* OMITTED */ };
filter Accept-sh-bfd { /* OMITTED */ };
filter Accept-LDP { /* OMITTED */ };
filter Accept-FTP { /* OMITTED */ };
filter Accept-RSVP { /* OMITTED */ };
filter Accept-RADIUS { /* OMITTED */ };
filter Accept-TACAS { /* OMITTED */ };
filter Accept-remote-auth { /* OMITTED */ };
filter Accept-Telnet { /* OMITTED */ };
filter Accept-DNS { /* OMITTED */ };
filter Accept-LDP-rsvp { /* OMITTED */ };
filter Accept-Established { /* OMITTED */ };
filter Accept-All { /* OMITTED */ };
filter Accept-ICMP { /* OMITTED */ };
filter Discard-frags { /* OMITTED */ };

[edit]
root@srx100# show firewall family inet | no-more | display omit
prefix-action Management-police-set {
    apply-flags omit;
    policer Management-1m;
    count;
    filter-specific;
    subnet-prefix-length 24;
    destination-prefix-length 32;
}
prefix-action Management-high-police-set {
    apply-flags omit;
    policer Management-5m;
    count;
    filter-specific;
    subnet-prefix-length 24;
    destination-prefix-length 32;
}
filter Accept-BGP {
    apply-flags omit;
    term Accept-BGP {
        from {
            source-prefix-list {
                BGP-Neighbors_v4;
                BGP-Neighbors-logical-systems_v4;
            }
            protocol tcp;
            port bgp;
        }
        then {
            count Accept-BGP;
            accept;
        }
    }
}
filter Accept-OSPF {
    apply-flags omit;
    term Accept-OSPF {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                Router-IPv4;
                OSPF;
                Router-IPv4-logical-systems  ;
            }
            protocol ospf;
        }
        then {
            count Accept-OSPF;
            accept;
        }
    }
}
filter Accept-RIP {
    apply-flags omit;
    term Accept-RIP {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                RIP;
            }
            protocol udp;
            destination-port rip;
        }
        then {
            count Accept-RIP;
            accept;
        }
    }
    term Accept-RIP-igmp {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                RIP;
            }
            protocol igmp;
        }
        then {
            count Accept-RIP-igmp;
            accept;
        }
    }
}
filter Accept-VRRP {
    apply-flags omit;
    term Accept-VRRP {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                vrrp;
            }
            protocol [ vrrp ah ];
        }
        then {
            count Accept-VRRP;
            accept;
        }
    }
}
filter Accept-SSH {
    apply-flags omit;
    term Accept-SSH {
        from {
            source-prefix-list {
                RFC1918;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol tcp;
            destination-port ssh;
        }
        then {
            policer Management-5m;
            count Accept-SSH;
            accept;
        }
    }
}
filter Accept-SNMP {
    apply-flags omit;
    term Accept-SNMP {
        from {
            source-prefix-list {
                SNMP-client-lists;
                SNMP-community-clients;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            destination-port snmp;
        }
        then {
            policer Management-5m;
            count Accept-SNMP;
            accept;
        }
    }
}
filter Accept-NTP {
    apply-flags omit;
    term Accept-NTP {
        from {
            source-prefix-list {
                NTP-server;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            port ntp;
        }
        then {
            policer Management-1m;
            count Accept-NTP;
            accept;
        }
    }
    term Accept-NTP-peer {
        from {
            source-prefix-list {
                NTP-server-peers;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            destination-port ntp;
        }
        then {
            policer Management-1m;
            count Accept-NTP-peer;
            accept;
        }
    }
    term Accept-NTP-server {
        from {
            source-prefix-list {
                RFC1918;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            destination-port ntp;
        }
        then {
            policer Management-1m;
            count Accept-NTP-server;
            accept;
        }
    }
}
filter Accept-WEB {
    apply-flags omit;
    term Accept-WEB {
        from {
            source-prefix-list {
                RFC1918;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol tcp;
            destination-port [ http https ];
        }
        then {
            policer Management-5m;
            count Accept-WEB;
            accept;
        }
    }
}
filter Discard-All {
    apply-flags omit;
    term Discard-ip-options {
        from {
            ip-options any;
        }
        then {
            count Discard-ip-options;
            log;
            syslog;
            discard;
        }
    }
    term Discard-TTL_1-unknown {
        from {
            ttl 1;
        }
        then {
            count Discard-All-TTL_1-unknown;
            log;
            syslog;
            discard;
        }
    }
    term Discard-tcp {
        from {
            protocol tcp;
        }
        then {
            count Discard-tcp;
            log;
            syslog;
            discard;
        }
    }
    term Discard-NetBIOS {
        from {
            protocol udp;
            destination-port 137;
        }
        then {
            count Discard-NetBIOS;
            log;
            syslog;
            discard;
        }
    }
    term Discard-UDP {
        from {
            protocol udp;
        }
        then {
            count Discard-UDP;
            log;
            syslog;
            discard;
        }
    }
    term Discard-ICMP {
        from {
            protocol icmp;
        }
        then {
            count Discard-ICMP;
            log;
            syslog;
            discard;
        }
    }
    term Discard-Unknown {
        then {
            count Discard-Unknown;
            log;
            syslog;
            discard;
        }
    }
}
filter Accept-Traceroute {
    apply-flags omit;
    term Accept-Traceroute-udp {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            ttl 1;
            destination-port 33435-33450;
        }
        then {
            policer Management-1m;
            count Accept-Traceroute-udp;
            accept;
        }
    }
    term Accept-Traceroute-icmp {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol icmp;
            ttl 1;
            icmp-type [ echo-request timestamp time-exceeded ];
        }
        then {
            policer Management-1m;
            count Accept-Traceroute-icmp;
            accept;
        }
    }
    term Accept-Traceroute-tcp {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol tcp;
            ttl 1;
        }
        then {
            policer Management-1m;
            count Accept-Traceroute-tcp;
            accept;
        }
    }
}
filter Accept-IGP {
    apply-flags omit;
    term Accept-OSPF {
        filter Accept-OSPF;
    }
    term Accept-RIP {
        filter Accept-RIP;
    }
}
filter Accept-Common-Services {
    apply-flags omit;
    term Accept-ICMP {
        filter Accept-ICMP;
    }
    term Accept-Traceroute {
        filter Accept-Traceroute;
    }
    term Accept-SSH {
        filter Accept-SSH;
    }
    term Accept-SNMP {
        filter Accept-SNMP;
    }
    term Accept-NTP {
        filter Accept-NTP;
    }
    term Accept-WEB {
        filter Accept-WEB;
    }
    term Accept-DNS {
        filter Accept-DNS;
    }
}
filter Accept-sh-bfd {
    apply-flags omit;
    term Accept-sh-bfd {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            source-port 49152-65535;
            destination-port 3784-3785;
        }
        then {
            count Accept-sh-bfd;
            accept;
        }
    }
}
filter Accept-LDP {
    apply-flags omit;
    term Accept-LDP-discover {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                Multicast-All-Routers;
            }
            protocol udp;
            destination-port ldp;
        }
        then {
            count Accept-LDP-discover;
            accept;
        }
    }
    term Accept-LDP-unicast {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol tcp;
            port ldp;
        }
        then {
            count Accept-LDP-unicast;
            accept;
        }
    }
    term Accept-tldp-discover {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            destination-port ldp;
        }
        then {
            count Accept-tldp-discover;
            accept;
        }
    }
    term Accept-LDP-igmp {
        from {
            source-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            destination-prefix-list {
                Multicast-All-Routers;
            }
            protocol igmp;
        }
        then {
            count Accept-LDP-igmp;
            accept;
        }
    }
}
filter Accept-FTP {
    apply-flags omit;
    term Accept-FTP {
        from {
            source-prefix-list {
                RFC1918;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol tcp;
            port [ ftp ftp-data ];
        }
        then {
            policer Management-5m;
            count Accept-FTP;
            accept;
        }
    }
}
filter Accept-RSVP {
    apply-flags omit;
    term Accept-RSVP {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol rsvp;
        }
        then {
            count Accept-RSVP;
            accept;
        }
    }
}
filter Accept-RADIUS {
    apply-flags omit;
    term Accept-RADIUS {
        from {
            source-prefix-list {
                RADIUS-servers;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            source-port [ radacct radius ];
            tcp-established;
        }
        then {
            policer Management-1m;
            count Accept-RADIUS;
            accept;
        }
    }
}
filter Accept-TACAS {
    apply-flags omit;
    term Accept-TACAS {
        from {
            source-prefix-list {
                Tacas-servers;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol [ tcp udp ];
            source-port [ tacacs tacacs-ds ];
            tcp-established;
        }
        then {
            policer Management-1m;
            count Accept-TACAS;
            accept;
        }
    }
}
filter Accept-remote-auth {
    apply-flags omit;
    term Accept-RADIUS {
        filter Accept-RADIUS;
    }
    term Accept-TACAS {
        filter Accept-TACAS;
    }
}
filter Accept-Telnet {
    apply-flags omit;
    term Accept-Telnet {
        from {
            source-prefix-list {
                RFC1918;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol tcp;
            destination-port telnet;
        }
        then {
            policer Management-1m;
            count Accept-Telnet;
            accept;
        }
    }
}
filter Accept-DNS {
    apply-flags omit;
    term Accept-DNS {
        from {
            source-prefix-list {
                DNS-servers;
            }
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol [ udp tcp ];
            source-port 53;
        }
        then {
            policer Management-1m;
            count Accept-DNS;
            accept;
        }
    }
}
filter Accept-LDP-rsvp {
    apply-flags omit;
    term Accept-LDP {
        filter Accept-LDP;
    }
    term Accept-RSVP {
        filter Accept-RSVP;
    }
}
filter Accept-Established {
    apply-flags omit;
    term Accept-Established-tcp-ssh {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            source-port ssh;
            tcp-established;
        }
        then {
            policer Management-5m;
            count Accept-Established-tcp-ssh;
            accept;
        }
    }
    term Accept-Established-tcp-ftp {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            source-port ftp;
            tcp-established;
        }
        then {
            policer Management-5m;
            count Accept-Established-tcp-ftp;
            accept;
        }
    }
    term Accept-Established-tcp-ftp-data-syn {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            source-port ftp-data;
            tcp-initial;
        }
        then {
            policer Management-5m;
            count Accept-Established-tcp-ftp-data-syn;
            accept;
        }
    }
    term Accept-Established-tcp-ftp-data {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            source-port ftp-data;
            tcp-established;
        }
        then {
            policer Management-5m;
            count Accept-Established-tcp-ftp-data;
            accept;
        }
    }
    term Accept-Established-tcp-telnet {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            source-port telnet;
            tcp-established;
        }
        then {
            policer Management-5m;
            count Accept-Established-tcp-telnet;
            accept;
        }
    }
    term Accept-Established-tcp-fetch {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            source-port [ http https ];
            tcp-established;
        }
        then {
            policer Management-5m;
            count Accept-Established-tcp-fetch;
            accept;
        }
    }
    term Accept-Established-udp-ephemeral {
        from {
            destination-prefix-list {
                Router-IPv4;
                Router-IPv4-logical-systems  ;
            }
            protocol udp;
            destination-port 49152-65535;
        }
        then {
            policer Management-5m;
            count Accept-Established-udp-ephemeral;
            accept;
        }
    }
}
filter Accept-All {
    apply-flags omit;
    term Accept-All-tcp {
        from {
            protocol tcp;
        }
        then {
            count Accept-All-tcp;
            log;
            syslog;
            accept;
        }
    }
    term Accept-All-udp {
        from {
            protocol udp;
        }
        then {
            count Accept-All-udp;
            log;
            syslog;
            accept;
        }
    }
    term Accept-All-igmp {
        from {
            protocol igmp;
        }
        then {
            count Accept-All-igmp;
            log;
            syslog;
            accept;
        }
    }
    term Accept-ICMP {
        from {
            protocol icmp;
        }
        then {
            count Accept-All-icmp;
            log;
            syslog;
            accept;
        }
    }
    term Accept-All-unknown {
        then {
            count Accept-All-unknown;
            log;
            syslog;
            accept;
        }
    }
}
filter Accept-ICMP {
    apply-flags omit;
    term no-icmp-fragments {
        from {
            is-fragment;
            protocol icmp;
        }
        then {
            count no-icmp-fragments;
            log;
            discard;
        }
    }
    term Accept-ICMP {
        from {
            protocol icmp;
            ttl-except 1;
            icmp-type [ echo-reply echo-request time-exceeded unreachable
            source-quench router-advertisement parameter-problem ];
        }
        then {
            policer Management-5m;
            count Accept-ICMP;
            accept;
        }
    }
}
filter Discard-frags {
    term 1 {
        from {
            first-fragment;
        }
        then {
            count deny-first-frags;
            discard;
        }
    }
    term 2 {
        from {
            is-fragment;
        }
        then {
            count deny-other-frags;
            discard;
        }
    }
}

[edit]
user@R1-RE0# show interfaces lo0
unit 0 {
    family inet {
        filter {
            input-list [ Discard-frags Accept-sh-bfd Accept-BGP
              Accept-LDP Accept-RSVP Accept-Telnet Accept-Common-Services
              Discard-All ];
        }
        address 10.3.255.1/32;
    }
    family iso {
        address 49.0001.0100.0325.5001.00;
    }
    family inet6 {
        address 2001:db8:1::ff:1/128;
    }
}

[edit]
root@srx100# run show interfaces filters lo0
Interface       Admin Link Proto Input Filter         Output Filter
lo0             up    up
lo0.0           up    up   inet  lo0.0-i
                           iso
                           inet6
lo0.16384       up    up   inet
lo0.16385       up    up   inet

root@srx100# run show log re_filter
Dec 12 12:58:09  R1-RE0 fpc2 PFE_FW_SYSLOG_IP: FW: irb.200
                   D vrrp 192.0.2.67 224.0.0.18   0  0  (1 packets)
Dec 12 12:58:15  R1-RE0 last message repeated 7 times
Dec 12 12:58:16  R1-RE0 fpc2 PFE_FW_SYSLOG_IP: FW: irb.200
                   D vrrp 192.0.2.67 224.0.0.18   0  0  (2 packets)
Dec 12 12:58:17  R1-RE0 fpc2 PFE_FW_SYSLOG_IP: FW: irb.200
                   D vrrp 192.0.2.67 224.0.0.18   0  0  (1 packets)
Dec 12 12:58:21  R1-RE0 last message repeated 4 times
Dec 12 12:58:22  R1-RE0 fpc2 PFE_FW_SYSLOG_IP: FW: irb.200
                   D vrrp 192.0.2.67 224.0.0.18   0  0  (2 packets)
Dec 12 12:58:23  R1-RE0 fpc2 PFE_FW_SYSLOG_IP: FW: irb.200
                   D vrrp 192.0.2.67 224.0.0.18   0  0  (1 packets)
Dec 12 12:58:26  R1-RE0 last message repeated 3 times
Dec 12 12:58:27  R1-RE0 fpc2 PFE_FW_SYSLOG_IP: FW: irb.200
                   D vrrp 192.0.2.67 224.0.0.18   0  0  (2 packets)
Dec 12 12:58:28  R1-RE0 fpc2 PFE_FW_SYSLOG_IP: FW: irb.200
                   D vrrp 192.0.2.67 224.0.0.18   0  0  (1 packets)

{master}[edit interfaces lo0 unit 0 family inet]
root@srx100# set filter input-list Accept-VRRP

{master}[edit interfaces lo0 unit 0 family inet]
root@srx100# show
filter {
    input-list [ Discard-frags Accept-sh-bfd Accept-BGP
      Accept-LDP Accept-RSVP Accept-Telnet Accept-Common-Services Discard-All
      Accept-VRRP ];
}
address 10.3.255.1/32;

{master}[edit interfaces lo0 unit 0 family inet]
root@srx100# insert filter input-list Accept-VRRP before Discard-All

{master}[edit interfaces lo0 unit 0 family inet]
root@srx100# show
filter {
    input-list [ Discard-frags Accept-OSPF Accept-RIP
      Accept-sh-bfd Accept-BGP Accept-LDP Accept-RSVP Accept-Telnet Accept-
      common-services Accept-
        vrrp Discard-All ];
}
address 10.3.255.1/32;







這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁