Protect an lo0 Routing Engine from External Assault
For SLAX version 1.0 and higher, you can use this commit script to apply a filter to lo0 to protect the routing engine from external assault.
It looks at configuration to determine what (and how) to accept [system services] and [protocols bgp group neighbor]. It also uses apply-macro to extend syntax where required, and creates an lo0 filter based on configured protocols.
Source Code and GitHub
The source code below is also available from the following GitHub locations:
01 filter lo0-filter {
02 term ssh {
03 from {
04 source-address {
05 10.1.2.0/24;
06 10.3.4.0/24;
07 10.3.4.5/32 except;
08 }
09 protocol tcp;
10 destination-port ssh;
11 }
12 then accept;
13 }
14 term xnm-ssl {
15 from {
16 protocol tcp;
17 destination-port 3220;
18 }
19 then accept;
20 }
21 term bgp {
22 from {
23 source-address {
24 10.5.14.2/32;
25 }
26 protocol tcp;
27 destination-port bgp;
28 }
29 then accept;
30 }
31 term ntp {
32 from {
33 source-address {
34 10.5.5.5/32;
35 }
36 protocol udp;
37 destination-port ntp;
38 }
39 then accept;
40 }
41 }
1 [edit system services]
2 user@cli# show
3 ssh {
4 apply-macro allow {
5 10.1.2.0/24;
6 10.3.4.0/24;
7 10.3.4.5/32 except;
8 }
9 }
SLAX Script Contents
001 version 1.0;
002
003 ns junos = "http://xml.juniper.net/junos/*/junos";
004 ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
005 ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
006
007 import "../import/junos.xsl";
008
009 /*
010 * Creates lo0 filter based on configured protocol
011 *
012 * lo0 filter protects the routing engine from external assault
013 *
014 * Look at configuration to know what (and how) to accept
015 * [system services]
016 * [protocols bgp group neighbor]
017 *
018 * Use apply-macro to extend syntax where required
019 * [edit system services]
020 * user@cli# show
021 * ssh {
022 * apply-macro allow {
023 * 10.1.2.0/24;
024 * 10.3.4.0/24;
025 * 10.3.4.5/32 except;
026 * }
027 * }
028 */
029
030 match configuration {
031 var $top = .;
032
033 <transient-change> {
034 <firewall> {
035 <filter replace="replace"> {
036 <name> "lo0-filter";
037 var $services = system/services;
038 call service-term($name = "ssh", $this = $services/ssh);
039 call service-term($name = "xnm-ssl", $port = 3220,
040 $this = $services/xnm-ssl);
041 call service-term($name = "netconf", $port = 830,
042 $this = $services/netconf);
043 call protocol-term($name = "bgp", $this = protocols/bgp,
044 $peers = protocols/bgp/group/neighbor/name);
045 var $ntp = system/ntp;
046 call protocol-term($name = "ntp", $this = $ntp, $protocol = "udp",
047 $peers = $ntp/peer/name | $ntp/server/name);
048 }
049 }
050
051 <interfaces> {
052 <interface> {
053 <name> "lo0";
054 <unit> {
055 <name> "0";
056 <family> {
057 <inet> {
058 <filter> {
059 <input> "lo0-filter";
060 }
061 }
062 }
063 }
064 }
065 }
066 }
067 }
068
069 template service-term($name, $port = $name, $protocol = "tcp", $this) {
070 if ($this) {
071 <term> {
072 <name> $name;
073 <from> {
074 if ($protocol) {
075 <protocol> $protocol;
076 }
077 <destination-port> $port;
078
079 var $mac = $this/apply-macro[name == "allow"];
080 if ($mac) {
081 for-each ($mac/data) {
082 <source-address> {
083 <name> name;
084 if (value == "except") {
085 <except>;
086 }
087 }
088 }
089 }
090 }
091 <then> {
092 <accept>;
093 }
094 }
095 }
096 }
097
098 template protocol-term($name, $port = $name, $protocol = "tcp",
099 $this, $peers) {
100 if ($this) {
101 <term> {
102 <name> $name;
103 <from> {
104 if ($protocol) {
105 <protocol> $protocol;
106 }
107 <destination-port> $port;
108
109 if ($peers) {
110 for-each ($peers) {
111 <source-address> {
112 <name> .;
113
114 }
115 }
116 }
117 }
118 <then> {
119 <accept>;
120 }
121 }
122 }
123 }