[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

JUNOS Default Groups

The JUNOS software provides a default, hidden configuration group called junos-defaults that is automatically applied to the configuration of your routing platform. The junos-defaults group contains preconfigured statements that contain predefined values for common applications. Some of the statements must be referenced to take effect, such as applications like FTP or Telnet. Other statements are applied automatically, such as terminal settings. All of the preconfigured statements begin with the reserved name junos-.

Note: You can override the JUNOS default configuration values, but you cannot delete or edit them. If you delete a configuration, the defaults return when a new configuration is added.

You cannot use the apply-groups statement with the JUNOS defaults group.

To view the full set of available preset statements from the JUNOS default group, issue the show groups junos-defaults configuration mode command. The following example displays a partial list of JUNOS default groups that use application protocols (ALGs).

user@host# show groups junos-defaults
... output for other groups defined at the [edit groups junos-defaults] hierarchy level ...
applications {
# File Transfer Protocol
application junos-ftp {
application-protocol ftp;
protocol tcp;
destination-port 21;
}
# Trivial File Transfer Protocol
application junos-tftp {
application-protocol tftp;
protocol udp;
destination-port 69;
}
# RPC port mapper on TCP
application junos-rpc-portmap-tcp {
application-protocol rpc-portmap;
protocol tcp;
destination-port 111;
}
# RPC port mapper on UDP
application junos-rpc-portmap-udp {
application-protocol rpc-portmap;
protocol udp;
destination-port 111;
}
# IP Protocol
application junos-ip {
application-protocol ip;
}
# remote exec
application junos-rexec {
application-protocol exec;
protocol tcp;
destination-port 512;
}
# remote login
application junos-rlogin {
application-protocol login;
protocol tcp;
destination-port 513;
}
# remote shell
application junos-rsh {
application-protocol shell;
protocol tcp;
destination-port 514;
}
# Real-Time Streaming Protocol
application junos-rtsp {
application-protocol rtsp;
protocol tcp;
destination-port 554;
}
# Oracle SQL servers use this protocol to execute SQL commands
# from clients, load balance, use application-specific servers, and so on.
application junos-sqlnet {
application-protocol sqlnet;
protocol tcp;
destination-port 1521;
}
# H.323 Protocol for audio/video conferencing
application junos-h323 {
application-protocol h323;
protocol tcp;
destination-port 1720;
}
# Internet Inter-ORB Protocol is used for CORBA applications.
# The ORB protocol in Java virtual machine uses port 1975 as a default.
application junos-iiop-java {
application-protocol iiop;
protocol tcp;
destination-port 1975;
}
# Internet Inter-ORB Protocol is used for CORBA applications.
# ORBIX is a CORBA framework from Iona Technologies that uses
# port 3075 as a default.
application junos-iiop-orbix {
application-protocol iiop;
protocol tcp;
destination-port 3075;
}
# RealPlayer uses RealAudio for real-time streaming.
# This was the original RealPlayer protocol.
# RTSP is more widely used by RealPlayer,
# but it still supports RealAudio.
application junos-realaudio {
application-protocol realaudio;
protocol tcp;
destination-port 7070;
}
# Traceroute application
application junos-traceroute {
application-protocol traceroute;
protocol udp;
destination-port 33435-33450;
ttl-threshold 30;
}
# Traceroute application that stops at device supporting firewall
# (packets with ttl > 1 will be discarded).
application junos-traceroute-ttl-1 {
application-protocol traceroute;
protocol udp;
destination-port 33435-33450;
ttl-threshold 1;
}
# The full range of known RPC programs using UDP.
# Specific program numbers are assigned to certain applications.
application junos-rpc-services-udp {
application-protocol rpc;
protocol udp;
rpc-program-number 100001-400000;
}
# The full range of known RPC programs using TCP.
# Specific program numbers are assigned to certain applications.
application junos-rpc-services-tcp {
application-protocol rpc;
protocol tcp;
rpc-program-number 100001-400000;
}
# All ICMP traffic
# This can be made more restrictive by specifying ICMP type and code.
application junos-icmp-all {
application-protocol icmp;
}
# ICMP ping; the echo reply is allowed upon return.
application junos-icmp-ping {
application-protocol icmp;
icmp-type echo-request;
}
# Protocol used by Windows Media Server and Windows Media Player
application junos-netshow {
application-protocol netshow;
protocol tcp;
destination-port 1755;
}
# NetBIOS, the networking protocol used on Windows networks;
# includes name service port, both UDP and TCP.
application junos-netbios-name-udp {
application-protocol netbios;
protocol udp;
destination-port 137;
}
application junos-netbios-name-tcp {
protocol tcp;
destination-port 137;
}
# NetBIOS, the networking protocol used on Windows networks;
# includes datagram service port.
application junos-netbios-datagram {
application-protocol netbios;
protocol udp;
destination-port 138;
}
# NetBIOS, the networking protocol used on Windows networks;
# includes session service port.
application junos-netbios-session {
protocol tcp;
destination-port 139;
}
# DCE-RPC port mapper on TCP
application junos-dce-rpc-portmap {
application-protocol dce-rpc-portmap;
protocol tcp;
destination-port 135;
}
# MS Exchange requires these three UUID values.
application junos-dcerpc-endpoint-mapper-service {
application-protocol dce-rpc;
protocol tcp;
uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa;
}
application junos-ssh {
protocol tcp;
destination-port 22;
}
application junos-telnet {
protocol tcp;
destination-port 23;
}
application junos-smtp {
protocol tcp;
destination-port 25;
}
application junos-dns-udp {
protocol udp;
destination-port 53;
}
application junos-dns-tcp {
protocol tcp;
destination-port 53;
}
application junos-tacacs {
protocol tcp;
destination-port 49;
}
# TACACS Database Service
application junos-tacacs-ds {
protocol tcp;
destination-port 65;
}
application junos-dhcp-client {
protocol udp;
destination-port 68;
}
application junos-dhcp-server {
protocol udp;
destination-port 67;
}
application junos-bootpc {
protocol udp;
destination-port 68;
}
application junos-bootps {
protocol udp;
destination-port 67;
}
application junos-http {
protocol tcp;
destination-port 80;
}
application junos-https {
protocol tcp;
destination-port 443;
}
# SIP control session for VoIP
application junos-sip {
application-protocol sip;
protocol udp;
destination-port 5060;
learn-sip-register;
}
# “ junos-algs-outbound” defines a set of all applications
# requiring an ALG. Useful for defining a rule for an untrusted
# network to allow trusted network users to use all the
# JUNOS-supported ALGs initiated from the trusted network.
application-set junos-algs-outbound {
application junos-ftp;
application junos-tftp;
application junos-rpc-portmap-tcp;
application junos-rpc-portmap-udp;
application junos-snmp-get;
application junos-snmp-get-next;
application junos-snmp-response;
application junos-snmp-trap;
application junos-rexec;
application junos-rlogin;
application junos-rsh;
application junos-rtsp;
application junos-citrix-winframe;
application junos-citrix-winframe-udp;
application junos-sqlnet;
application junos-h323;
application junos-iiop-java;
application junos-iiop-orbix;
application junos-realaudio;
application junos-traceroute;
application junos-rpc-services-udp;
application junos-rpc-services-tcp;
application junos-icmp-all;
application junos-netshow;
application junos-netbios-name-udp;
application junos-netbios-datagram;
application junos-dce-rpc-portmap;
application junos-dcerpc-msexchange-directory-rfr;
application junos-dcerpc-msexchange-information-store;
application junos-dcerpc-msexchange-directory-nsp;
application junos-sip;
}
# “ junos-management-inbound” represents the group of applications
# that might need access to the trusted network from the untrusted
# network for management purposes.
# The set is intended for a UI to display management choices.
# NOTE: It is not recommended that you use the entire set directly in
# a firewall rule and open up firewall to all of these
# applications. Also, you should always specify the source
# and destination prefixes when using each application.
application-set junos-management-inbound {
application junos-snmp-get;
application junos-snmp-get-next;
application junos-snmp-response;
application junos-snmp-trap;
application junos-ssh;
application junos-telnet;
application junos-http;
application junos-https;
application junos-xnm-ssl;
application junos-xnm-clear-text;
application junos-icmp-ping;
application junos-traceroute-ttl-1;
}
}
}
}

To reference statements available from the junos-defaults group, include the selected junos-default-name statement at the applicable hierarchy level. To configure application protocols, see Configuring an Application Protocol; for details about a specific protocol, see ALG Descriptions.

Examples: Referencing the Preset Statement from the JUNOS Default Group

The following example is a preset statement from the JUNOS default groups that is available for FTP in a stateful firewall:

[edit]
groups {
junos-defaults {
applications {
application junos-ftp { # Use FTP default configuration
application-protocol ftp;
protocol tcp;
destination-port 21;
}
}
}

To reference a preset JUNOS default statement from the JUNOS default groups, include the junos-default-name statement at the applicable hierarchy level. For example, to reference the JUNOS default statement for FTP in a stateful firewall, include the junos-ftp statement at the [edit services stateful-firewall rule rule-name term term-name from applications] hierarchy level.

[edit]
services {
stateful-firewall {
rule my-rule {
term my-term {
from {
applications junos-ftp; #Reference predefined statement, junos-ftp,
}
}
}
}
}

The following example shows configuration of the default JUNOS IP ALG:

[edit]
services {
stateful-firewall {
rule r1 {
match-direction input;
term t1 {
from {
applications junos-ip;
}
then {
accept;
syslog;
}
}
}
}
}

If you configure the IP ALG in the stateful firewall rule, it is matched by any IP traffic, but if there is any other more specific application that matches the same traffic, the IP ALG will not be matched. For example, in the following configuration, both the ICMP ALG and the IP ALG are configured, but traffic is matched for ICMP packets, because it is the more specific match.

[edit]
services {
stateful-firewall {
rule r1 {
match-direction input;
term t1 {
from {
applications [ junos-ip junos-icmp-all ];
}
then {
accept;
syslog;
}
}
}
}
}
[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]