Junos OS

Hello,

I need to block some ports for subscribers like telnet, ssh but need to allow access for some address. 

I've created the filters like:

set firewall family inet filter MY-FILTER-10M interface-specific
set firewall family inet filter MY-FILTER-10M term 10 from source-prefix-list MY-WHITELISTLIST
set firewall family inet filter MY-FILTER-10M term 10 then policer LIMIT-10M
set firewall family inet filter MY-FILTER-10M term 10 then accept
set firewall family inet filter MY-FILTER-10M term BLOCK-SSH from destination-port 22
set firewall family inet filter MY-FILTER-10M term BLOCK-SSH then discard
set firewall family inet filter MY-FILTER-10M term BLOCK-TELNET from destination-port 23
set firewall family inet filter MY-FILTER-10M term BLOCK-TELNET then discard
set firewall family inet filter MY-FILTER-10M term BLOCK-DNS from destination-port 53
set firewall family inet filter MY-FILTER-10M term BLOCK-DNS then discard
set firewall family inet filter MY-FILTER-10M term LAST then policer LIMIT-10M
set firewall family inet filter MY-FILTER-10M term LAST then accept

set firewall family inet filter MY-FILTER-20M interface-specific
set firewall family inet filter MY-FILTER-20M term 10 from source-prefix-list MY-WHITELISTLIST
set firewall family inet filter MY-FILTER-20M term 10 then policer LIMIT-20M
set firewall family inet filter MY-FILTER-20M term 10 then accept
set firewall family inet filter MY-FILTER-20M term BLOCK-SSH from destination-port 22
set firewall family inet filter MY-FILTER-20M term BLOCK-SSH then discard
set firewall family inet filter MY-FILTER-20M term BLOCK-TELNET from destination-port 23
set firewall family inet filter MY-FILTER-20M term BLOCK-TELNET then discard
set firewall family inet filter MY-FILTER-20M term BLOCK-DNS from destination-port 53
set firewall family inet filter MY-FILTER-20M term BLOCK-DNS then discard
set firewall family inet filter MY-FILTER-20M term LAST then policer LIMIT-20M
set firewall family inet filter MY-FILTER-20M term LAST then accept

set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" family inet filter output $junos-output-filter

The filters are huge. I need to create a lot of those.

Juniper subscriber doesn't support filter list like would be: 

set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" family inet filter output-list [ MY-GENERAL-FILTER $junos-output-filter]

The ideia is create a general filters and the policer filter will be just:

set firewall family inet filter MY-FILTER-xxM term LAST then policer LIMIT-xxM
set firewall family inet filter MY-FILTER-xxM term LAST then accept

Is that possibible to simplify the filters without loss of performance?

Hi,

You can call the firewall filters in a dynamic-profile. As the subscribers logins, these filter (part of dynamic-profile) gets attached to the subscriber interface dynamically.

The dynamic profile allow just one filter

HI!

If I understand your requirement correctly. You have two requirements here:

1 To block certain traffic

2. To police rest of the traffic with a poclier and that varies from subscriber to subscriber

Please correct me if there is any variation to your requirement.

You are right you can have only filter called in a dynamic-profile, but you can have more than one service session applied to the same subscriber. That means you can call the same dynamic-profile for the second time with a different policer value.

Infact for different policing needs you may also use parametrization and pass the value from radius rather configuring each one manually on the router. Take a look on the below link for details..

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-par-filt-overview.html

Hugleo, thats true, but i meant is that you can add variables to filters to attach them to your subscribers dynamically. Don't just configure the actual the filter name in the dynamic-profile.  In dynamic-profile, just define filter name with variable like "$junos-input-filter / $junos-output-filter  and apply the filter per subscriber interface by returning the filter VSA from AAA.

For instance, in your case, i assume you want to allow block SSH/TELNET/DNS allow only for your local B-RAS along with policer and discard others, configure as such:

set dynamic-profiles TEST variables host-address mandatory
set dynamic-profiles TEST variables output-filter default-value output
set dynamic-profiles TEST variables output-filter uid-reference
set dynamic-profiles TEST variables output uid
set dynamic-profiles TEST variables outPlcr uid
set dynamic-profiles TEST variables outBrst
set dynamic-profiles TEST variables outBW
set dynamic-profiles TEST interfaces pp0 unit "$junos-interface-unit" family inet filter output "$output-filter"
set dynamic-profiles TEST firewall family inet filter "$output" interface-specific
set dynamic-profiles TEST firewall family inet filter "$output" term 1 from destination-address $host-address
set dynamic-profiles TEST firewall family inet filter "$output" term 1 from source-prefix-list testprefixes
set dynamic-profiles TEST firewall family inet filter "$output" term 1 from protocol tcp
set dynamic-profiles TEST firewall family inet filter "$output" term 1 from protocol udp
set dynamic-profiles TEST firewall family inet filter "$output" term 1 from port telnet
set dynamic-profiles TEST firewall family inet filter "$output" term 1 from port ssh
set dynamic-profiles TEST firewall family inet filter "$output" term 1 from port 53
set dynamic-profiles TEST firewall family inet filter "$output" term 1 then policer "$outPlcr"
set dynamic-profiles TEST firewall family inet filter "$output" term 1 then count accepted-by-term1
set dynamic-profiles TEST firewall family inet filter "$output" term 1 then accept
set dynamic-profiles TEST firewall family inet filter "$output" term 2 from destination-address $host-address
set dynamic-profiles TEST firewall family inet filter "$output" term 2 from protocol tcp
set dynamic-profiles TEST firewall family inet filter "$output" term 2 from protocol udp
set dynamic-profiles TEST firewall family inet filter "$output" term 2 from port telnet
set dynamic-profiles TEST firewall family inet filter "$output" term 2 from port ssh
set dynamic-profiles TEST firewall family inet filter "$output" term 2 from port 53
set dynamic-profiles TEST firewall family inet filter "$output" term 2 then policer "$outPlcr"
set dynamic-profiles TEST firewall family inet filter "$output" term 2 then count discarded-by-term2
set dynamic-profiles TEST firewall family inet filter "$output" term 2 then discard
set dynamic-profiles TEST firewall policer "$outPlcr" filter-specific
set dynamic-profiles TEST firewall policer "$outPlcr" if-exceeding bandwidth-limit "$outBW"
set dynamic-profiles TEST firewall policer "$outPlcr" if-exceeding burst-size-limit "$outBrst"
set dynamic-profiles TEST firewall policer "$outPlcr" then discard

Note that subscriber address is to be host route/32, host-address. So term 1 allows SSH/TELNET/DNS (add HTTP if required) traffic from allowed source prefix list (typically these addresses belongs to your b-ras/mgmt nodes) and police them. and term 2 discards all others. The variable such as "$xyz" means this can intger value that can be returned from AAA/Radius node. This way, you dont require to change/modify the firwall filters everytime. The filter I've share below may need some tuning if any.

And ofcourse, you also need another dynamaic-profile (which allows access for service like internet/voice/data/etc.. access) that is binded to subscriber intreface using VSA (s) such as Service-Activate-Tag(s).

Now in case say you dont use AAA/Radius, you can still bind filters from default instance dynamically using "set dynamic-profiles TEST predefined-variable-defaults output-filter <filter-name>".