Automation

Scripting How-To: Protect an lo0 routing engine from external assault

By Elevate posted 08-10-2015 11:05

  

Protect an lo0 Routing Engine from External Assault

 

For SLAX version 1.0 and higher, you can use this commit script to apply a filter to lo0 to protect the routing engine from external assault.

 

It looks at configuration to determine what (and how) to accept [system services] and [protocols bgp group neighbor]. It also uses apply-macro to extend syntax where required, and creates an lo0 filter based on configured protocols.


Source Code and GitHub


The source code below is also available from the following GitHub locations:

Example Configuration

 

01	filter lo0-filter {
02	    term ssh {
03	         from {
04	            source-address {
05	                10.1.2.0/24;
06	                10.3.4.0/24;
07	                10.3.4.5/32 except;
08	            }
09	            protocol tcp;
10	            destination-port ssh;
11	        }
12	        then accept;
13	    }
14	    term xnm-ssl {
15	         from {
16	            protocol tcp;
17	            destination-port 3220;
18	        }
19	        then accept;
20	    }
21	    term bgp {
22	         from {
23	            source-address {
24	                10.5.14.2/32;
25	            }
26	            protocol tcp;
27	            destination-port bgp;
28	        }
29	        then accept;
30	    }
31	    term ntp {
32	         from {
33	            source-address {
34	                10.5.5.5/32;
35	            }
36	            protocol udp;
37	            destination-port ntp;
38	        }
39	        then accept;
40	    }
41	}

 

Example Output

 

1	[edit system services]
2	user@cli# show
3	ssh {
4	    apply-macro allow {
5	        10.1.2.0/24;
6	        10.3.4.0/24;
7	        10.3.4.5/32 except;
8	    }
9	}

 

SLAX Script Contents

 

001	version 1.0;
002	 
003	ns junos = "http://xml.juniper.net/junos/*/junos";
004	ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
005	ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
006	 
007	import "../import/junos.xsl";
008	 
009	/*
010	 * Creates lo0 filter based on configured protocol
011	 *
012	 *    lo0 filter protects the routing engine from external assault
013	 *
014	 *    Look at configuration to know what (and how) to accept
015	 *        [system services]
016	 *        [protocols bgp group neighbor]
017	 *
018	 *    Use apply-macro to extend syntax where required
019	 *        [edit system services]
020	 *        user@cli# show
021	 *        ssh {
022	 *          apply-macro allow {
023	 *            10.1.2.0/24;
024	 *            10.3.4.0/24;
025	 *            10.3.4.5/32 except;
026	 *          }
027	 *        }
028	 */
029	 
030	match configuration {
031	    var $top = .;
032	 
033	    <transient-change> {
034	        <firewall> {
035	            <filter replace="replace"> {
036	                <name> "lo0-filter";
037	                var $services = system/services;
038	                call service-term($name = "ssh", $this = $services/ssh);
039	                call service-term($name = "xnm-ssl", $port = 3220,
040	                                  $this = $services/xnm-ssl);
041	                call service-term($name = "netconf", $port = 830,
042	                                  $this = $services/netconf);
043	                call protocol-term($name = "bgp", $this = protocols/bgp,
044	                                   $peers = protocols/bgp/group/neighbor/name);
045	                var $ntp = system/ntp;
046	                call protocol-term($name = "ntp", $this = $ntp, $protocol = "udp",
047	                                   $peers = $ntp/peer/name | $ntp/server/name);
048	            }
049	        }
050	 
051	    <interfaces> {
052	            <interface> {
053	                <name> "lo0";
054	                <unit> {
055	                    <name> "0";
056	                    <family> {
057	                        <inet> {
058	                            <filter> {
059	                                <input> "lo0-filter";
060	                            }
061	                        }
062	                    }
063	                }
064	            }
065	        }
066	    }
067	}
068	 
069	template service-term($name, $port = $name, $protocol = "tcp", $this) {
070	    if ($this) {
071	        <term> {
072	            <name> $name;
073	            <from> {
074	                if ($protocol) {
075	                    <protocol> $protocol;
076	                }
077	                <destination-port> $port;
078	 
079	                var $mac = $this/apply-macro[name == "allow"];
080	                if ($mac) {
081	                    for-each ($mac/data) {
082	                        <source-address> {
083	                            <name> name;
084	                            if (value == "except") {
085	                                <except>;
086	                            }  
087	                        }  
088	                    }  
089	                }  
090	            }
091	            <then> {
092	                <accept>;
093	            }  
094	        }  
095	    }  
096	}
097	 
098	template protocol-term($name, $port = $name, $protocol = "tcp",
099	                       $this, $peers) {
100	    if ($this) {
101	        <term> {
102	            <name> $name;
103	            <from> {
104	                if ($protocol) {
105	                    <protocol> $protocol;
106	                }
107	                <destination-port> $port;
108	 
109	                if ($peers) {
110	                    for-each ($peers) {
111	                        <source-address> {
112	                            <name> .;
113	             
114	                        }  
115	                    }  
116	                }  
117	            }
118	            <then> {
119	                <accept>;
120	            } 
121	        } 
122	    }
123	}

 


#commitscript
#Slax
#How-To
#ScriptingHow-To
0 comments
0 views

Permalink