ON THIS PAGE
Example: Configuring a DHCP Firewall Filter to Protect the Routing Engine
This example shows how to configure a firewall filter to ensure that proper DHCP packets can
reach the Routing Engine on supported routers running the jdhcpd
process.
Requirements
This configuration example applies only to routers where DHCP local server and DHCP relay agent
services are provided by the jdhcpd process rather than the legacy
dhcpd process or fud (UDP forwarding) process. DHCP relay must
be configured under the [edit forwarding-options dhcp-relay]
hierarchy level and not at the [edit forwarding-options helpers
bootp] hierarchy level.
No special configuration beyond device initialization is required before you can configure this feature.
Overview
Firewall filters that process DHCP packets on the Routing Engine must properly account for both UDP port 67 (bootps) for DHCP server traffic and UDP port 68 (bootpc) for DHCP client traffic. These ports are fundamental to DHCP operations and must be correctly handled in firewall filter configurations.
The Junos OS exhibits specific DHCP packet handling behaviors that administrators must understand. When packets are received on line cards, the jdhcpd process performs encapsulation and modifies the UDP headers, setting both source and destination ports to 68 before forwarding to the Routing Engine. This port rewriting is a critical aspect of Juniper's DHCP implementation.
In DHCP relay and proxy scenarios, the traffic flow follows specific port patterns. Client-originated packets traveling to the server initially use source port 68 and destination port 67. When the server responds, it uses source and destination port 67, but the line card performs another modification, rewriting these to port 68 before delivering to the Routing Engine.
These behaviors have important firewall implications. To ensure proper DHCP operation, firewall filters must be configured to allow both ports 67 and 68. This dual-port requirement accommodates both the original client requests (using port 68 to 67) and the rewritten server responses (converted from port 67 to 68). The filter must maintain this flexibility to handle all legitimate DHCP traffic scenarios while still providing the intended protection for the Routing Engine.
This example does not show all possible configuration choices, nor does it show how the filter is applied in your configuration. This example applies to both static application of the filter as well as dynamic application with a dynamic profile.
Configuration
Procedure
CLI Quick Configuration
To quickly configure the sample Routing Engine DHCP filter, copy the following commands, paste them in a text file, remove any line breaks, and then copy and paste the commands into the CLI.
[edit] edit firewall family inet filter RE-protect edit term dhcp-client-accept set from source-address 0.0.0.0/32 set from destination-address 255.255.255.255/32 set from protocol udp set from source-port 68 set from destination-port [67 68] set then count dhcp-client-accept set then accept up edit term dhcp-server-accept set from protocol udp set from source-port 67 set from source-port 68 set from destination-port 67 set from destination-port 68 set then count dhcp-server-accept set then accept top
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure a DHCP firewall filter to protect the Routing Engine:
Create or specify a firewall filter.
[edit firewall] user@host# edit family inet filter RE-protect
Create a filter term for the client.
[edit firewall family inet filter RE-protect] user@host# edit term dhcp-client-accept
Specify the match conditions for DHCP packets.
[edit firewall family inet filter RE-protect term dhcp-client-accept] user@host# set from source-address 0.0.0.0/32 user@host# set from destination-address 255.255.255.255/32 user@host# set from protocol udp user@host# set from source-port 68 user@host# set from destination-port 67
Specify the action to take for matched packets.
[edit firewall family inet filter RE-protect term dhcp-client-accept] user@host# set then count dhcp-client-accept user@host# set then accept
Create a filter term for the server.
[edit firewall family inet filter RE-protect] user@host# edit term dhcp-server-accept
Specify the match conditions for DHCP packets.
[edit firewall family inet filter RE-protect term dhcp-server-accept] user@host# set from protocol udp user@host# set from source-port [67 68] user@host# set from destination-port [67 68]
Specify the action to take for matched packets.
[edit firewall family inet filter RE-protect term dhcp-server-accept] user@host# set then count dhcp-client-accept user@host# set then accept
Results
From configuration mode, confirm your configuration by entering the show firewall command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show firewall
family inet {
filter RE-protect {
term dhcp-client-accept {
from {
source-address {
0.0.0.0/32;
}
destination-address {
255.255.255.255/32;
}
protocol udp;
source-port 68;
destination-port 67;
}
then {
count dhcp-client-accept;
accept;
}
}
term dhcp-server-accept {
from {
protocol udp;
source-port [ 67 68 ];
destination-port [ 67 68 ];
}
then {
count dhcp-server-accept;
accept;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the Routing Engine DHCP protection filter is properly passing DHCP packets, perform these tasks:
Verifying the DHCP Filter Operation
Purpose
Verify that both counters increment as DHCP traffic passes to the Routing Engine.
Action
From operational mode, enter the show firewall family inet filter RE-protect command.
user@host> show firewall family inet filter RE-protect Filter: RE-protect Counters: Name Bytes Packets dhcp-client-accept 328 1 dhcp-server-accept 574 1 user@host> show firewall family inet filter RE-protect Filter: RE-protect Counters: Name Bytes Packets dhcp-client-accept 660 2 dhcp-server-accept 1152 2
Meaning
The output lists both configured counters, dhcp-client-accept and dhcp-server-accept. By issuing the command more than once, you can see that the byte and packet fields both show that traffic is being accepted and counted.