Firewall Filters
To protect the router, you can deploy packet filters to allow only certain traffic into the router’s control plane (Routing Engine [RE]). These filters have different names on each router OS, but they still operate in the same stateless manner. On a Cisco device, these filters are called access lists, and on a Juniper router, they are called firewall filters. These filters look similar to the policy we discussed in Chapter 3; however, filters operate on the actual data-forwarding plane. Table 6-2 provides a comparison of the two features.
Table 6-2. Firewall filters versus routing policies
Feature | Firewall filter | Routing policy |
|---|---|---|
Operates in... | Forwarding plane | Control plane |
Match keyword | | |
Action keyword | | |
Match attributes | Packet fields | Route attributes |
Default action | Discard | Depends on default policy |
Applied to... | Interfaces | Routing protocols/tables |
Named terms required | Yes | No |
Chains allowed | Yes | Yes |
Absence of | Match all | Match all |
Firewall filter syntax takes a human-friendly, intuitive form:
firewall {
family inet {
filter filter-1 {
term term-1 {
from {
protocol tcp;
destination-port telnet;
}
then {
accept;
}
}
}
}
}This filter matches on Telnet traffic and accepts the packets. As
observed, the syntax is very similar to a routing policy with the match
conditions in the from term and the
actions specified in a then
term.
Filter Processing
Similar to a policy, a filter is made up of multiple terms, and each term is examined in the order listed. If there is a ...
Get JUNOS Enterprise Routing now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
