Firewall Filters
To protect the router, you can deploy packet filters to allow only certain traffic into the router’s control plane (Routing Engine [RE]). These filters have different names on each router OS, but they still operate in the same stateless manner. On a Cisco device, these filters are called access lists, and on a Juniper router, they are called firewall filters. These filters look similar to the policy we discussed in Chapter 5; however, filters operate on the actual data-forwarding plane. Table 8-2 provides a comparison of the two features.
Table 8-2. Firewall filters versus routing policies
Feature | Firewall filter | Routing policy |
|---|---|---|
Operates in... | Forwarding plane | Control plane |
Match keyword |
|
|
Action keyword |
|
|
Match attributes | Packet fields | Route attributes |
Default action | Discard | Depends on default policy |
Applied to... | Interfaces | Routing protocols/tables |
Named terms required | Yes | No |
Chains allowed | Yes | Yes |
Absence of | Match all | Match all |
Firewall filter syntax takes a human-friendly, intuitive form:
firewall {
family inet {
filter filter-1 {
term term-1 {
from {
protocol tcp;
destination-port telnet;
}
then {
accept;
}
}
}
}
}This filter matches on Telnet traffic and accepts the packets. As
observed, the syntax is very similar to a routing policy with the match
conditions in the from term and the
actions specified in a then
term.
Filter Processing
Similar to a policy, a filter is made up of multiple terms, and each term is examined in the order listed. If there is a match in ...
Get Junos Enterprise Routing, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
