Juniper QFX Routing Engine Firewall

This firewall template can be used to secure the routing engine of QFX series devices.

Please check the “Juniper Routing Engine Firewall Templates” page first. The prefix lists that must be created to use these firewall rules are located on that page.

IPv4 Filter

This filter is specific to IPv4.

firewall {
    family inet {
        filter Input:Routing-Engine:IPv4 {
            /* Protect against CVE-2014-6380 */
            term Fragments:Discard {
                from {
                    is-fragment;
                }
                then {
                    discard;
                }
            }
            /* Discard ICMP traffic that is in a type the router should not be getting */
            term ICMP:Blacklisted:Discard {
                from {
                    protocol icmp;
                    icmp-type [ info-reply info-request mask-reply mask-request redirect router-advertisement router-solicit ];
                }
                then {
                    discard;
                }
            }
            /* Allow all other ICMP types with a total rate limit of 5 megabits */
            term ICMP:Police {
                from {
                    protocol icmp;
                }
                then {
                    policer Routing-Engine:ICMP:5m;
                    accept;
                }
            }
            /* Allow BGP from BGP neighbours */
            term Protocols:BGP-Connect:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:BGP:IPv4;
                        Firewall:Routing-Engine:Dynamic:BGP-RI:IPv4;
                    }
                    protocol tcp;
                    destination-port bgp;
                }
                then accept;
            }
            /* Allow BGP (Reply) from BGP neighbours */
            term Protocols:BGP-Reply:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:BGP:IPv4;
                        Firewall:Routing-Engine:Dynamic:BGP-RI:IPv4;
                    }
                    protocol tcp;
                    source-port bgp;
                }
                then accept;
            }
            /* Allow BGP BFD from BGP neighbours */
            term Protocols:BGP-BFD:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:BGP:IPv4;
                        Firewall:Routing-Engine:Dynamic:BGP-RI:IPv4;
                    }
                    protocol udp;
                    destination-port [ 4784 3784 3785 ];
                }
                then accept;
            }
            /* Accept SSH connections from whitelisted hosts */
            term Management:SSH:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Static:Management:IPv4;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then accept;
            }
            /* Accept SNMP requests from defined clients */
            term Management:SNMP:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Static:SNMP:IPv4;
                        Firewall:Routing-Engine:Dynamic:SNMP:IPv4;
                    }
                    protocol udp;
                    destination-port snmp;
                }
                then accept;
            }
            /* Allow NTP traffic on the local interface (required for monitoring the status of the NTP service) */
            term Management:NTP-Query:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv4;
                    }
                    destination-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv4;
                    }
                    protocol udp;
                    source-port ntp;
                }
                then accept;
            }
            /* Allow NTP traffic on the local interface (required for monitoring the status of the NTP service) */
            term Management:NTP-Response:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv4;
                    }
                    destination-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv4;
                    }
                    protocol udp;
                    destination-port ntp;
                }
                then accept;
            }
            /* Allow UDP traceroute but rate limit to 5 megabits */
            term Service:TraceRoute:Police {
                from {
                    protocol udp;
                    destination-port 33434-33534;
                }
                then {
                    policer Routing-Engine:TraceRoute:5m;
                    accept;
                }
            }
            /* Allow NTP responses from NTP servers */
            term Service:NTP:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:NTP:IPv4;
                    }
                    protocol udp;
                    destination-port ntp;
                }
                then accept;
            }
            /* Allow DNS responses from DNS servers */
            term Service:DNS:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:DNS:IPv4;
                    }
                    protocol udp;
                    source-port domain;
                }
                then accept;
            }
            /* Allow RADIUS responses from RADIUS servers */
            term Service:RADIUS:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:RADIUS:IPv4;
                    }
                    protocol udp;
                    source-port [ radacct radius ];
                }
                then accept;
            }
            /* Allow DHCP server requests */
            inactive: term Service:DHCP-Server:Accept {
                from {
                    protocol udp;
                    source-port [ 67 68 ];
                    destination-port [ 67 68 ];
                }
                then accept;
            }
            /* Any unmatched traffic will be dropped */
            term Default:Discard {
                then {
                    count Routing-Engine:Default-Discard;
                    discard;
                }
            }
        }
    }
}

IPv6 Filter

This filter is specific to IPv6.

firewall {
    family inet6 {
        filter Input:Routing-Engine:IPv6 {
            /* Allow multicast */
            term Multicast:Accept {
                from {
                    destination-address {
                        ff00::/8;
                    }
                }
                then accept;
            }
            /* Allow ICMPv6 types that are required for IPv6 to work */
            term ICMP:Whitelisted:Accept {
                from {
                    next-header icmp6;
                    icmp-type [ neighbor-solicit neighbor-advertisement packet-too-big parameter-problem ];
                }
                then accept;
            }
            /* Discard ICMPv6 types that are not required */
            term ICMP:Blacklisted:Discard {
                from {
                    next-header icmp6;
                    icmp-type [ certificate-path-advertisement certificate-path-solicitation home-agent-address-discovery-reply home-agent-address-discovery-request inverse-neighbor-discovery-advertisement inverse-neighbor-discovery-solicitation redirect ];
                }
                then discard;
            }
            /* Allow any unmatched ICMPv6 but rate limit to 20mbit */
            term ICMP:Police {
                from {
                    next-header icmp6;
                }
                then {
                    policer Routing-Engine:ICMP:20m;
                    accept;
                }
            }
            /* Allow link local ESP */
            term Protocols:ESP:Accept {
                from {
                    source-address {
                        fe80::/64;
                    }
                    next-header esp;
                }
                then accept;
            }
            /* Allow link local OSPF */
            term Protocols:OSPF:Accept {
                from {
                    source-address {
                        fe80::/64;
                    }
                    next-header ospf;
                }
                then accept;
            }
            /* Allow link local BFD */
            term Protocols:BFD:Accept {
                from {
                    source-address {
                        fe80::/64;
                    }
                    next-header udp;
                    destination-port 3784;
                }
                then accept;
            }
            /* Allow BGP from BGP neighbours */
            term Protocols:BGP-Connect:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:BGP:IPv6 ;
                        Firewall:Routing-Engine:Dynamic:BGP-RI:IPv6;
                    }
                    next-header tcp;
                    destination-port bgp;
                }
                then accept;
            }
            /* Allow BGP (Reply) from BGP neighbours */
            term Protocols:BGP-Reply:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:BGP:IPv6 ;
                        Firewall:Routing-Engine:Dynamic:BGP-RI:IPv6;
                    }
                    next-header tcp;
                    source-port bgp;
                }
                then accept;
            }
            /* Allow BGP BFD from BGP neighbours */
            term Protocols:BGP-BFD:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:BGP:IPv6 ;
                        Firewall:Routing-Engine:Dynamic:BGP-RI:IPv6;
                    }
                    next-header udp;
                    destination-port [ 4784 3784 3785 ];
                }
                then accept;
            }
            /* Accept SSH connections from whitelisted hosts */
            term Management:SSH:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Static:Management:IPv6;
                    }
                    next-header tcp;
                    destination-port ssh;
                }
                then accept;
            }
            /* Accept SNMP requests from defined clients */
            term Management:SNMP:Accept {
                from {
                    source-prefix-list {
                        FiFirewall:Routing-Engine:Static:SNMP:IPv6;
                    }
                    next-header udp;
                    destination-port snmp;
                }
                then accept;
            }
            /* Allow NTP traffic on the local interface (required for monitoring the status of the NTP service) */
            term Management:NTP-Query:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv6;
                    }
                    destination-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv6;
                    }
                    next-header udp;
                    source-port ntp;
                }
                then accept;
            }
            /* Allow NTP traffic on the local interface (required for monitoring the status of the NTP service) */
            term Management:NTP-Response:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv6;
                    }
                    destination-prefix-list {
                        Firewall:Routing-Engine:Dynamic:Loopbacks:IPv6;
                    }
                    next-header udp;
                    destination-port ntp;
                }
                then accept;
            }
            /* Allow UDP traceroute but rate limit to 5 megabits */
            term Service:TraceRoute:Police {
                from {
                    next-header udp;
                    destination-port 33434-33534;
                }
                then {
                    policer Routing-Engine:TraceRoute:5m;
                    accept;
                }
            }
            /* Allow NTP responses from NTP servers */
            term Service:NTP:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:NTP:IPv6;
                    }
                    next-header udp;
                    destination-port ntp;
                }
                then accept;
            }
            /* Allow DNS responses from DNS servers */
            term Service:DNS:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:NTP:IPv6;
                    }
                    next-header udp;
                    source-port domain;
                }
                then accept;
            }
            /* Allow RADIUS responses from RADIUS servers */
            term Service:RADIUS:Accept {
                from {
                    source-prefix-list {
                        Firewall:Routing-Engine:Dynamic:RADIUS:IPv6;
                    }
                    next-header udp;
                    source-port [ radacct radius ];
                }
                then accept;
            }
            /* Allow DHCPv6 */
            inactive: term Service:DHCPv6:Accept {
                from {
                    next-header udp;
                    source-port [ 546 547 ];
                    destination-port [ 546 547 ];
                }
                then accept;
            }
            /* Any unmatched traffic will be dropped */
            term Default:Discard {
                then {
                    count Routing-Engine:Default-Discard;
                    discard;
                }
            }
        }
    }
}

Policers

The policers are used to rate limit traffic to the routing engine.

firewall {
    /* Policer used by the routing engine to rate limit ICMP to a reasonable level */
    policer Routing-Engine:ICMP:5m {
        if-exceeding {
            bandwidth-limit 5m;
            burst-size-limit 1m;
        }
        then discard;
    }
    /* Policer used by the routing engine to rate limit ICMP to a reasonable level */
    policer Routing-Engine:ICMP:20m {
        if-exceeding {
            bandwidth-limit 20m;
            burst-size-limit 1m;
        }
        then discard;
    }
    /* Policer used by the routing engine to rate limit traceroute to a reasonable level */
    policer Routing-Engine:TraceRoute:5m {
        if-exceeding {
            bandwidth-limit 5m;
            burst-size-limit 1m;
        }
        then discard;
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *