JUNOS Cookbook by Aviva Garrett

Author:Aviva Garrett [Aviva Garrett]
Language: eng
Format: epub, mobi, pdf
Tags: COMPUTERS / Networking / General
ISBN: 9780596105648
Publisher: O'Reilly Media
Published: 2009-02-08T16:00:00+00:00

policer name

Rate-limit traffic on an interface.

syslog

Keep a record of the packet in a system logfile.

As with routing policy, the JUNOS software evaluates a firewall filter term by term, and, when a term matches, the action is taken and evaluation ends. If the packet matches none of the terms, the default action is to discard the packet, which is equivalent to the following:

aviva@RouterF# set term last-term then discard

The default firewall action, to discard packets, is the opposite of the default policy action of accepting routes. You would not be alone in thinking that this behavior is counterintuitive. However, understanding this behavior is critical in designing filters and tracing problems if the router stops receiving certain types of traffic. Be especially careful when implementing filters that limit access to the router to ensure that you don't lock yourself out of the router. A common mistake is to block Telnet access to the router. One way to protect against lockout is to use the commit confirmed command.

The default time to revert to the previous configuration is 10 minutes. Choose a rollback time of one minute to minimize how long you have to wait to reconnect to the router if you lock yourself out:

[edit firewall] aviva@RouterF# commit confirmed 1 commit confirmed will be automatically rolled back in 1 minutes unless confirmed commit complete

When using the commit confirmed command, especially with firewall filters, another good practice is to include a comment, which is saved to the router's commit logfile:

[edit firewall] aviva@RouterF# commit confirmed 1 comment "added filter to discard remaining packets" commit confirmed will be automatically rolled back in 1 minutes unless confirmed commit complete

Use the show system commit command to see the comments:

aviva@RouterF> show system commit 0 2005-11-07 20:31:03 UTC by aviva via cli added filter to discard remaining packets 1 2005-11-02 23:42:38 UTC by root via cli 2 2005-11-02 23:35:11 UTC by root via cli

Adding a comment is a handy way to keep track of reasons for commits if for some reason you lock yourself out of the router.

Another counterintuitive behavior of JUNOS firewalls is that filters do not have a then clause to accept packets that match the from conditions. To verify this, create a one-term filter with no action:

[edit firewall] aviva@RouterF# set filter one-term-filter term bgp-peers from destination-address 10. 0.31.1/24

Look in the file /var/etc/filters/dfwc.out to see the actions taken by the term:

aviva@RouterF> file show /var/etc/filters/dfwc.out rule "bgp-peers" matches 3 match destination-port unreferenced type range ranges 1 179 match source-address unreferenced type addrmask number of address-masks: 1 10.0.8/24 match action unreferenced type action accept

The output shows the filter (or rule) bgp-peers matched and accepted three packets.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.