Junos OS

Expand all | Collapse all

Simplify the filters for subscribers

Jump to Best Answer
  • 1.  Simplify the filters for subscribers

    Posted 06-19-2018 08:54

    Hello,

     

    I need to block some ports for subscribers like telnet, ssh but need to allow access for some address. 

     

    I've created the filters like:

     

    set firewall family inet filter MY-FILTER-10M interface-specific
    set firewall family inet filter MY-FILTER-10M term 10 from source-prefix-list MY-WHITELISTLIST
    set firewall family inet filter MY-FILTER-10M term 10 then policer LIMIT-10M
    set firewall family inet filter MY-FILTER-10M term 10 then accept
    set firewall family inet filter MY-FILTER-10M term BLOCK-SSH from destination-port 22
    set firewall family inet filter MY-FILTER-10M term BLOCK-SSH then discard
    set firewall family inet filter MY-FILTER-10M term BLOCK-TELNET from destination-port 23
    set firewall family inet filter MY-FILTER-10M term BLOCK-TELNET then discard
    set firewall family inet filter MY-FILTER-10M term BLOCK-DNS from destination-port 53
    set firewall family inet filter MY-FILTER-10M term BLOCK-DNS then discard
    set firewall family inet filter MY-FILTER-10M term LAST then policer LIMIT-10M
    set firewall family inet filter MY-FILTER-10M term LAST then accept


    set firewall family inet filter MY-FILTER-20M interface-specific
    set firewall family inet filter MY-FILTER-20M term 10 from source-prefix-list MY-WHITELISTLIST
    set firewall family inet filter MY-FILTER-20M term 10 then policer LIMIT-20M
    set firewall family inet filter MY-FILTER-20M term 10 then accept
    set firewall family inet filter MY-FILTER-20M term BLOCK-SSH from destination-port 22
    set firewall family inet filter MY-FILTER-20M term BLOCK-SSH then discard
    set firewall family inet filter MY-FILTER-20M term BLOCK-TELNET from destination-port 23
    set firewall family inet filter MY-FILTER-20M term BLOCK-TELNET then discard
    set firewall family inet filter MY-FILTER-20M term BLOCK-DNS from destination-port 53
    set firewall family inet filter MY-FILTER-20M term BLOCK-DNS then discard
    set firewall family inet filter MY-FILTER-20M term LAST then policer LIMIT-20M
    set firewall family inet filter MY-FILTER-20M term LAST then accept


    set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" family inet filter output $junos-output-filter

     

    The filters are huge. I need to create a lot of those.

     

    Juniper subscriber doesn't support filter list like would be: 

    set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" family inet filter output-list [ MY-GENERAL-FILTER $junos-output-filter]

     

    The ideia is create a general filters and the policer filter will be just:

    set firewall family inet filter MY-FILTER-xxM term LAST then policer LIMIT-xxM
    set firewall family inet filter MY-FILTER-xxM term LAST then accept

     

    Is that possibible to simplify the filters without loss of performance?



  • 2.  RE: Simplify the filters for subscribers

     
    Posted 06-19-2018 10:53

    Hi,

     

    You can call the firewall filters in a dynamic-profile. As the subscribers logins, these filter (part of dynamic-profile) gets attached to the subscriber interface dynamically.



  • 3.  RE: Simplify the filters for subscribers

    Posted 06-19-2018 11:22

    The dynamic profile allow just one filter



  • 4.  RE: Simplify the filters for subscribers

    Posted 06-19-2018 20:38

    HI!

     

    If I understand your requirement correctly. You have two requirements here:

     

    1 To block certain traffic

    2. To police rest of the traffic with a poclier and that varies from subscriber to subscriber

     

    Please correct me if there is any variation to your requirement.

     

    You are right you can have only filter called in a dynamic-profile, but you can have more than one service session applied to the same subscriber. That means you can call the same dynamic-profile for the second time with a different policer value.

     

    Infact for different policing needs you may also use parametrization and pass the value from radius rather configuring each one manually on the router. Take a look on the below link for details..

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-par-filt-overview.html

     

     



  • 5.  RE: Simplify the filters for subscribers
    Best Answer

     
    Posted 06-19-2018 22:07

    Hugleo, thats true, but i meant is that you can add variables to filters to attach them to your subscribers dynamically. Don't just configure the actual the filter name in the dynamic-profile.  In dynamic-profile, just define filter name with variable like "$junos-input-filter / $junos-output-filter  and apply the filter per subscriber interface by returning the filter VSA from AAA.

     

    For instance, in your case, i assume you want to allow block SSH/TELNET/DNS allow only for your local B-RAS along with policer and discard others, configure as such:

     

    set dynamic-profiles TEST variables host-address mandatory
    set dynamic-profiles TEST variables output-filter default-value output
    set dynamic-profiles TEST variables output-filter uid-reference
    set dynamic-profiles TEST variables output uid
    set dynamic-profiles TEST variables outPlcr uid
    set dynamic-profiles TEST variables outBrst
    set dynamic-profiles TEST variables outBW
    set dynamic-profiles TEST interfaces pp0 unit "$junos-interface-unit" family inet filter output "$output-filter"
    set dynamic-profiles TEST firewall family inet filter "$output" interface-specific
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 from destination-address $host-address
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 from source-prefix-list testprefixes
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 from protocol tcp
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 from protocol udp
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 from port telnet
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 from port ssh
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 from port 53
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 then policer "$outPlcr"
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 then count accepted-by-term1
    set dynamic-profiles TEST firewall family inet filter "$output" term 1 then accept
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 from destination-address $host-address
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 from protocol tcp
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 from protocol udp
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 from port telnet
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 from port ssh
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 from port 53
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 then policer "$outPlcr"
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 then count discarded-by-term2
    set dynamic-profiles TEST firewall family inet filter "$output" term 2 then discard
    set dynamic-profiles TEST firewall policer "$outPlcr" filter-specific
    set dynamic-profiles TEST firewall policer "$outPlcr" if-exceeding bandwidth-limit "$outBW"
    set dynamic-profiles TEST firewall policer "$outPlcr" if-exceeding burst-size-limit "$outBrst"
    set dynamic-profiles TEST firewall policer "$outPlcr" then discard

     

    Note that subscriber address is to be host route/32, host-address. So term 1 allows SSH/TELNET/DNS (add HTTP if required) traffic from allowed source prefix list (typically these addresses belongs to your b-ras/mgmt nodes) and police them. and term 2 discards all others. The variable such as "$xyz" means this can intger value that can be returned from AAA/Radius node. This way, you dont require to change/modify the firwall filters everytime. The filter I've share below may need some tuning if any.

     

    And ofcourse, you also need another dynamaic-profile (which allows access for service like internet/voice/data/etc.. access) that is binded to subscriber intreface using VSA (s) such as Service-Activate-Tag(s).

     

    Now in case say you dont use AAA/Radius, you can still bind filters from default instance dynamically using "set dynamic-profiles TEST predefined-variable-defaults output-filter <filter-name>".