Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Filter-Specific Counters and Policers

Filter-Specific Policer Overview

By default, a policer operates in term-specific mode so that, for a given firewall filter, the Junos OS creates a separate policer instance for every filter term that references the policer. As an option, you can configure a policer to operate in filter-specific mode so that a single policer instance is used by all terms (within the same firewall filter) that reference the policer.

For an IPv4 firewall filter with multiple terms that reference the same policer, configuring the policer to operate in filter-specific mode enables you to count and monitor the activity of the policer at the firewall filter level.

Note: Term-specific mode and filter-specific mode also apply to prefix-specific policer sets.

• [edit firewall policer policer-name]
• [edit logical-systems logical-system-name firewall policer policer-name]

You can reference filter-specific policers from IPv4 (family inet) firewall filters only.

Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods

This example shows how to create a stateless firewall filter that protects against TCP and ICMP denial-of-service attacks.

• Requirements
• Overview
• Configuration
• Verification

Requirements

No special configuration beyond device initialization is required before configuring stateless firewall filters.

Overview

• tcp-connection-policer—Limits the traffic rate of the TCP packets to 500,000 bps and the burst size to 15,000 bytes. Packets that exceed the traffic rate are discarded.
• icmp-policer—Limits the traffic rate of the ICMP packets to 1,000,000 bps and the burst size to 15,000 bytes. Packets that exceed the traffic rate are discarded.

When specifying limits, the bandwidth limit can be from 32,000 bps to 32,000,000,000 bps and the burst-size limit can be from 1,500 bytes through 100,000,000 bytes. Use the following abbreviations when specifying limits: k (1,000), m (1,000,000), and g (1,000,000,000).

• tcp-connection-term—Polices certain TCP packets with a source address of 192.168.122.0/24 or 10.2.1.0/24. These addresses are defined in the trusted-addresses prefix list.

  Policed packets include connection request packets (SYN and ACK flag bits equal 1 and 0), connection release packets (FIN flag bit equals 1), and connection reset packets (RST flag bit equals 1).

• icmp-term—Polices echo request packets, echo response packets, unreachable packets, and time-exceeded packets. All of these ICMP packets are counted in the icmp-counter counter.

Note: You can move terms within the firewall filter by using the insert command. See insert in the CLI User Guide.

If you want to include the terms created in this procedure in the protect-RE firewall filter configured in Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources, perform the configuration tasks in this example first. Then configure the terms as described in Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources. This approach ensures that the rate-limiting terms are included as the first two terms in the firewall filter.

Note: You can move terms within the firewall filter by using the insert command. See insert in the CLI User Guide.

Configuration

CLI Quick Configuration

To quickly configure the stateless firewall filter, copy the following commands to a text file, remove any line breaks, and then paste the commands into the CLI.

Step-by-Step Procedure

1. Define the first policer.

   [edit]user@host# edit firewall policer tcp-connection-policer

2. Define the action for the policer.

   [edit firewall policer tcp-connection-policer]user@host# set then discard

3. Define the rate limits for the policer.

   [edit firewall policer tcp-connection-policer]user@host# set filter-specificuser@host# set if-exceeding burst-size-limit 15k bandwidth-limit 1m

4. Define the second policer.

   [edit]user@host# edit firewall policer icmp-policer

5. Define the action for the policer.

   [edit firewall policer icmp-policer]user@host# set then discard

6. Set the rate limits for the policer.

   [edit firewall policer icmp-policer]user@host# set filter-specificuser@host# set if-exceeding burst-size-limit 15k bandwidth-limit 1m

7. Define the prefix list.

   [edit]user@host# set policy-options prefix-list trusted-addresses 192.168.122.0/24user@host# set policy-options prefix-list trusted-addresses 10.2.1.0/24

8. Create the stateless firewall filter.

   [edit]user@host# edit firewall family inet filter protect-RE

9. Define the first term for the filter.

   [edit firewall family inet filter protect-RE]user@host# edit term tcp-connection-term

10. Define the source address match condition for the term.

    [edit firewall family inet filter protect-RE term tcp-connection-term]user@host# set from source-prefix-list trusted-addresses

11. Define protocol match conditions for the term.

    [edit firewall family inet filter protect-RE term tcp-connection-term]user@host# set from protocol tcp tcp-flags "(syn & !ack) | fin | rst"

12. Define the actions for the term.

    [edit firewall family inet filter protect-RE term tcp-connection-term]user@host# set then policer tcp-connection-policer accept

13. Define the second term.

    [edit]user@host# edit firewall family inet filter protect-RE term icmp-term

14. Define the protocol for the term.

    [edit firewall family inet filter protect-RE term icmp-term]user@host# set from protocol icmp

15. Define the match conditions for the term.

    [edit firewall family inet filter protect-RE term icmp-term]user@host# set from icmp-type [echo-request echo-reply unreachable time-exceeded]

16. Define the action for the term.

    [edit firewall family inet filter protect-RE term icmp-term]user@host# set then policer icmp-policer count icmp-counter accept

Results

Confirm your configuration by entering the show firewall command and the show policy-options command from configuration mode. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

• Displaying Stateless Firewall Filter Configurations
• Verifying a TCP and ICMP Flood Firewall Filter
• Displaying Firewall Filter Statistics

Displaying Stateless Firewall Filter Configurations

Purpose

Verify the configuration of the firewall filter.

Action

From configuration mode, enter the show firewall command.

Meaning

Verify that the output shows the intended configuration of the firewall filter. In addition, verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command.

Verifying a TCP and ICMP Flood Firewall Filter

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

Send packets to the device that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.

• Verify that the device can establish only TCP sessions with a host at an IP address that matches 192.168.122.0/24 or 10.2.1.0/24. For example, log in to the device with the telnet host-name command from another host with one of these address prefixes.
• Use the ping host-name command to verify that the device responds only to ICMP packets (such as ping requests) that do not exceed the policer traffic rates.
• Use the ping host-name size bytes command to exceed the policer traffic rates by sending ping requests with large data payloads.

Sample Output

Trying 192.168.249.71...
Connected to host.acme.net.
Escape character is '^]'.

host (ttyp0)

login: user
Password:

--- JUNOS 6.4-20040521.1 built 2004-05-21 09:38:12 UTC

user@host> 

PING host-ge-000.acme.net (192.168.249.71): 56 data bytes
64 bytes from 192.168.249.71: icmp_seq=0 ttl=253 time=11.946 ms
64 bytes from 192.168.249.71: icmp_seq=1 ttl=253 time=19.474 ms
64 bytes from 192.168.249.71: icmp_seq=2 ttl=253 time=14.639 ms
...

PING host-ge-000.acme.net (192.168.249.71): 20000 data bytes
^C
--- host-ge-000.acme.net ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

Meaning

Verify the following information:

• You can successfully log in to the device using Telnet.
• The device sends responses to the ping host command.
• The device does not send responses to the ping host size 20000 command.

Displaying Firewall Filter Statistics

Purpose

Verify that packets are being policed and counted.

Action

From operational mode, enter the show firewall filter filter-name command.

Sample Output

Filter: protect-RE                                                  
Counters:
Name                                                Bytes              Packets
icmp-counter                                      1040000                 5600
Policers:
Name                                              Packets 
tcp-connection-policer                          643254873
icmp-policer                                         7391

Meaning

Verify the following information:

• Next to Filter, the name of the firewall filter is correct.
• Under Counters:
  • Under Name, the names of any counters configured in the firewall filter are correct.
  • Under Bytes, the number of bytes that match the filter term containing the count counter-name action are shown.
  • Under Packets, the number of packets that match the filter term containing the count counter-name action are shown.
• Under Policers:
  • Under Name, the names of any policers configured in the firewall filter are correct.
  • Under Packets, the number of packets that match the conditions specified for the policer are shown.