Give an example on how to configure a firewall filter on a Juniper router to restrict access to a server connected behind it’s interface and running a service e.g. on port 8080?
Configuring a firewall filter on a Juniper router involves several steps. Here’s a simplified process to guide you through:
1.) Define the Filter: Start by defining the firewall filter and its terms. Each term represents a specific rule within the filter.
# set firewall family inet filter FILTER_NAME term TERM_NAME from …
2.) Specify Match Conditions: For each term, specify the match conditions, such as source or destination address, protocol, and ports.
# set firewall family inet filter FILTER_NAME term TERM_NAME from source-address ADDRESS
# set firewall family inet filter FILTER_NAME term TERM_NAME from protocol PROTOCOL
3.) Define Actions: Define the actions to be taken when the conditions are met, like accepting, discarding, or modifying the traffic.
# set firewall family inet filter FILTER_NAME term TERM_NAME then ACTION
4.) Apply the Filter: Apply the filter to an interface, specifying whether it’s an input or output filter.
# set interfaces INTERFACE_NAME unit 0 family inet filter input FILTER_NAME
5.) Commit the Configuration: After configuring the filter, commit the changes to make them active.
# commit check
# commit
Remember to replace FILTER_NAME, TERM_NAME, ADDRESS, PROTOCOL, ACTION, and INTERFACE_NAME with the actual names and values relevant to your network setup. Always test your firewall configurations in a controlled environment before deploying them to production to ensure they work as intended and do not disrupt network traffic.
Here is a more detailed example: In this scenerio we shall implement a firewall filter to allow source subnet (192.168.0.0/24) access to a specific service running on port 8080 on server (10.10.10.10) BUT restrict any other source IPs (0.0.0.0/0). All other services will remain accessible for all except the service on port 8080. The server is connected to the Juniper router via port xe-1/0/5, vlan 1000
# set firewall filter RESTRICT_ACCESS term PORT_8080_INSIDE from source-address 192.168.0.0/24
# set firewall filter RESTRICT_ACCESS term PORT_8080_INSIDE from destination-address 10.10.10.10/32
# set firewall filter RESTRICT_ACCESS term PORT_8080_INSIDE from protocol tcp
# set firewall filter RESTRICT_ACCESS term PORT_8080_INSIDE from protocol udp
# set firewall filter RESTRICT_ACCESS term PORT_8080_INSIDE from destination-port 8080
# set firewall filter RESTRICT_ACCESS term PORT_8080_INSIDE then accept
# set firewall filter RESTRICT_ACCESS term PORT_8080_OUTSIDE from source-address 0.0.0.0/0
# set firewall filter RESTRICT_ACCESS term PORT_8080_OUTSIDE from destination-address 10.10.10.10/32
# set firewall filter RESTRICT_ACCESS term PORT_8080_OUTSIDE from protocol tcp
# set firewall filter RESTRICT_ACCESS term PORT_8080_OUTSIDE from protocol udp
# set firewall filter RESTRICT_ACCESS term PORT_8080_OUTSIDE from destination-port 8080
# set firewall filter RESTRICT_ACCESS term PORT_8080_OUTSIDE then reject
# set firewall filter RESTRICT_ACCESS term ANY_OTHER then accept
# set interfaces xe-1/0/5 unit 1000 family inet filter output RESTRICT_ACCESS