Date created: Saturday, June 15, 2024 1:04:49 PM. Last modified: Saturday, June 15, 2024 1:07:03 PM
MX Loopback0 Filter - From j-nsp mailing list
Reference: https://gist.github.com/tonusoo/efd9ab4fcf2bb5a45d34d5af5e3f3e0c
interfaces { lo0 { unit 0 { family inet { filter { input-list [ discard-ip-options discard-frags accept-single-hop-bfd-v4 accept-multi-hop-bfd-v4 accept-bgp-v4 accept-ospf2 accept-vrrpv3-v4 accept-established-v4 accept-common-services-v4 discard-all-v4 ]; } } family inet6 { filter { input-list [ discard-extension-headers accept-single-hop-bfd-v6 accept-multi-hop-bfd-v6 accept-bgp-v6 accept-ospf3 accept-vrrpv3-v6 accept-established-v6 accept-common-services-v6 discard-all-v6 ]; } } } } } policy-options { prefix-list ntp-servers-v4 { apply-path "system ntp server <*.*.*.*>"; } prefix-list ntp-servers-v6 { apply-path "system ntp server <*:*>"; } prefix-list ntp-peers-v4 { apply-path "system ntp peer <*.*.*.*>"; } prefix-list ntp-peers-v6 { apply-path "system ntp peer <*:*>"; } prefix-list dns-servers-v4 { apply-path "system name-server <*.*.*.*>"; } prefix-list dns-servers-v6 { apply-path "system name-server <*:*>"; } prefix-list snmp-client-lists-v4 { apply-path "snmp client-list <*> <*.*.*.*>"; } prefix-list snmp-client-lists-v6 { apply-path "snmp client-list <*> <*:*>"; } prefix-list snmp-community-clients-v4 { apply-path "snmp community <*> clients <*.*.*.*>"; } prefix-list snmp-community-clients-v6 { apply-path "snmp community <*> clients <*:*>"; } prefix-list mgnt-networks-v4 { 10.5.5.0/24; } prefix-list mgnt-networks-v6 { fd1f:1605:8b9d:99::/64; } prefix-list bgp-neighbors-v4 { apply-path "protocols bgp group <*-v4> neighbor <*.*.*.*>"; } prefix-list bgp-neighbors-v6 { apply-path "protocols bgp group <*-v6> neighbor <*:*>"; } prefix-list router-v6 { apply-path "interfaces <*> unit <*> family inet6 address <*>"; } prefix-list ipv6-link-local { fe80::/64; } prefix-list vrrpv3-v4 { 224.0.0.18/32; } prefix-list vrrpv3-v6 { ff02::12/128; } prefix-list ospfv3 { /* ALLSPFRouters */ ff02::5/128; /* ALLDRouters */ ff02::6/128; } prefix-list loopback-v6 { ::1/128; apply-path "interfaces lo0 unit <*> family inet6 address <*>"; } prefix-list router-v4 { apply-path "interfaces <*> unit <*> family inet address <*>"; } prefix-list ospfv2 { /* ALLSPFRouters */ 224.0.0.5/32; /* ALLDRouters */ 224.0.0.6/32; } prefix-list loopback-v4 { 127.0.0.1/32; apply-path "interfaces lo0 unit <*> family inet address <*>"; } } firewall { family inet { filter accept-bgp-v4 { term accept-bgp-v4 { from { source-prefix-list { bgp-neighbors-v4; } destination-prefix-list { router-v4; } protocol tcp; destination-port bgp; } then { count accept-bgp-v4; accept; } } } filter accept-common-services-v4 { /* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */ term accept-traceroute-v4-trusted { filter accept-traceroute-v4-trusted; } term accept-traceroute-v4-untrusted { filter accept-traceroute-v4-untrusted; } /* ensures that ICMP traffic from trusted networks does not share a policer with ICMP traffic from untrusted networks */ term accept-icmp-trusted { filter accept-icmp-trusted; } term accept-icmp-untrusted { filter accept-icmp-untrusted; } term accept-snmp-v4 { filter accept-snmp-v4; } term accept-ntp-v4 { filter accept-ntp-v4; } term accept-dns-v4 { filter accept-dns-v4; } term accept-ssh-v4 { filter accept-ssh-v4; } } filter accept-dns-v4 { term accept-dns-v4 { from { source-prefix-list { dns-servers-v4; } destination-prefix-list { router-v4; } protocol [ udp tcp ]; source-port domain; destination-port 49160-65535; } then { policer re-protect-1m; count accept-dns-v4; accept; } } } filter accept-established-v4 { /* allows router to establish SSH sessions to management network */ term accept-established-ssh-v4 { from { source-prefix-list { mgnt-networks-v4; } destination-prefix-list { router-v4; } protocol tcp; source-port ssh; destination-port 49160-65535; tcp-established; } then { policer re-protect-20m; count accept-established-ssh-v4; accept; } } /* allows router to establish BGP sessions with BGP neighbors */ term accept-established-bgp-v4 { from { source-prefix-list { bgp-neighbors-v4; } destination-prefix-list { router-v4; } protocol tcp; source-port bgp; destination-port 49160-65535; tcp-established; } then { count accept-established-bgp-v4; accept; } } } filter accept-icmp-trusted { term accept-echo-request-trusted { from { source-prefix-list { mgnt-networks-v4; } protocol icmp; icmp-type echo-request; } then { policer re-protect-1m; count accept-echo-request-trusted; accept; } } term accept-echo-reply-trusted { from { source-prefix-list { mgnt-networks-v4; } protocol icmp; icmp-type echo-reply; } then { policer re-protect-1m; count accept-echo-reply-trusted; accept; } } term accept-icmp-error-messages-trusted { from { source-prefix-list { mgnt-networks-v4; } protocol icmp; icmp-type [ unreachable time-exceeded parameter-problem ]; } then { policer re-protect-1m; count accept-icmp-error-messages-trusted; accept; } } } filter accept-icmp-untrusted { term accept-echo-request-untrusted { from { protocol icmp; icmp-type echo-request; } then { policer re-protect-1m; count accept-echo-request-untrusted; accept; } } term accept-echo-reply-untrusted { from { protocol icmp; icmp-type echo-reply; } then { policer re-protect-1m; count accept-echo-reply-untrusted; accept; } } term accept-icmp-error-messages-untrusted { from { protocol icmp; icmp-type [ unreachable time-exceeded parameter-problem ]; } then { policer re-protect-1m; count accept-icmp-error-messages-untrusted; accept; } } } filter accept-multi-hop-bfd-v4 { term accept-multi-hop-bfd-v4 { from { source-prefix-list { bgp-neighbors-v4; } destination-prefix-list { router-v4; } protocol udp; source-port 49152-65535; destination-port 4784; } then { count accept-multi-hop-bfd-v4; accept; } } } filter accept-ntp-v4 { term accept-ntp-v4 { from { source-prefix-list { ntp-servers-v4; ntp-peers-v4; } destination-prefix-list { router-v4; } protocol udp; source-port ntp; /* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */ destination-port ntp; } then { policer re-protect-1m; count accept-ntp-v4; accept; } } /* needed for "show ntp *" commands */ term accept-ntp-internal-v4 { from { source-prefix-list { loopback-v4; } destination-prefix-list { loopback-v4; } protocol udp; port ntp; } then { count accept-ntp-internal-v4; accept; } } } filter accept-ospf2 { term accept-ospf2 { from { source-prefix-list { router-v4; } destination-prefix-list { /* OSPF Database Description packets are sent to the unicast addresses if OSPF interface type is "LAN" */ router-v4; ospfv2; } protocol ospf; } then { count accept-ospf2; accept; } } } filter accept-single-hop-bfd-v4 { term accept-single-hop-bfd-v4 { from { source-prefix-list { router-v4; } destination-prefix-list { router-v4; } protocol udp; source-port 49152-65535; destination-port 3784-3785; /* RFC5881 5 */ ttl 255; } then { count accept-single-hop-bfd-v4; accept; } } } filter accept-snmp-v4 { term accept-snmp-v4 { from { source-prefix-list { snmp-client-lists-v4; snmp-community-clients-v4; } destination-prefix-list { router-v4; } protocol udp; destination-port snmp; } then { policer re-protect-20m; count accept-snmp-v4; accept; } } } filter accept-ssh-v4 { term accept-ssh-v4 { from { source-prefix-list { mgnt-networks-v4; } destination-prefix-list { router-v4; } protocol tcp; destination-port ssh; } then { policer re-protect-20m; count accept-ssh-v4; accept; } } } filter accept-traceroute-v4-trusted { term accept-traceroute-udp-v4-trusted { from { destination-prefix-list { router-v4; } source-prefix-list { mgnt-networks-v4; } protocol udp; ttl 1; destination-port 33434-33529; } then { policer re-protect-1m; count accept-traceroute-udp-v4-trusted; accept; } } term accept-traceroute-icmp-trusted { from { destination-prefix-list { router-v4; } source-prefix-list { mgnt-networks-v4; } protocol icmp; ttl 1; icmp-type echo-request; } then { policer re-protect-1m; count accept-traceroute-icmp-trusted; accept; } } term accept-traceroute-tcp-v4-trusted { from { destination-prefix-list { router-v4; } source-prefix-list { mgnt-networks-v4; } protocol tcp; ttl 1; /* default TCP traceroute port only */ destination-port http; } then { policer re-protect-1m; count accept-traceroute-tcp-v4-trusted; accept; } } } filter accept-traceroute-v4-untrusted { term accept-traceroute-udp-v4-untrusted { from { destination-prefix-list { router-v4; } protocol udp; ttl 1; destination-port 33434-33529; } then { policer re-protect-1m; count accept-traceroute-udp-v4-untrusted; accept; } } term accept-traceroute-icmp-untrusted { from { destination-prefix-list { router-v4; } protocol icmp; ttl 1; icmp-type echo-request; } then { policer re-protect-1m; count accept-traceroute-icmp-untrusted; accept; } } term accept-traceroute-tcp-v4-untrusted { from { destination-prefix-list { router-v4; } protocol tcp; ttl 1; /* default TCP traceroute port only */ destination-port http; } then { policer re-protect-1m; count accept-traceroute-tcp-v4-untrusted; accept; } } } filter accept-vrrpv3-v4 { term accept-vrrpv3-v4 { from { source-prefix-list { router-v4; } destination-prefix-list { vrrpv3-v4; } protocol vrrp; /* RFC5798 5.1.1.3 */ ttl 255; } then { count accept-vrrpv3-v4; accept; } } } filter discard-all-v4 { term discard-all-v4 { then { count discard-all-v4; log; discard; } } } filter discard-frags { term deny-first-frags { from { first-fragment; } then { count deny-first-frags; discard; } } term deny-other-frags { from { is-fragment; } then { count deny-other-frags; discard; } } } /* On modern Trio platforms, the filter below will discard both the transit and RE-addressed packets with IP options header field - KB30719 */ filter discard-ip-options { term discard-ip-options { from { ip-options any; } then { count discard-ip-options; discard; } } } } family inet6 { filter accept-bgp-v6 { term accept-bgp-v6 { from { source-prefix-list { bgp-neighbors-v6; } destination-prefix-list { router-v6; } next-header tcp; destination-port bgp; } then { count accept-bgp-v6; accept; } } } filter accept-common-services-v6 { /* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */ term accept-traceroute-v6-trusted { filter accept-traceroute-v6-trusted; } term accept-traceroute-v6-untrusted { filter accept-traceroute-v6-untrusted; } /* ensures that ICMP6 traffic from trusted networks does not share a policer with ICMP6 traffic from untrusted networks */ term accept-icmp6-trusted { filter accept-icmp6-trusted; } term accept-icmp6-untrusted { filter accept-icmp6-untrusted; } term accept-snmp-v6 { filter accept-snmp-v6; } term accept-ntp-v6 { filter accept-ntp-v6; } term accept-dns-v6 { filter accept-dns-v6; } term accept-ssh-v6 { filter accept-ssh-v6; } } filter accept-dns-v6 { term accept-dns-v6 { from { source-prefix-list { dns-servers-v6; } destination-prefix-list { router-v6; } next-header [ udp tcp ]; source-port domain; destination-port 49160-65535; } then { policer re-protect-1m; count accept-dns-v6; accept; } } } filter accept-established-v6 { /* allows router to establish SSH sessions to management network */ term accept-established-ssh-v6 { from { source-prefix-list { mgnt-networks-v6; } destination-prefix-list { router-v6; } next-header tcp; source-port ssh; destination-port 49160-65535; tcp-established; } then { policer re-protect-20m; count accept-established-ssh-v6; accept; } } /* allows router to establish BGP sessions with BGP neighbors */ term accept-established-bgp-v6 { from { source-prefix-list { bgp-neighbors-v6; } destination-prefix-list { router-v6; } next-header tcp; source-port bgp; destination-port 49160-65535; tcp-established; } then { count accept-established-bgp-v6; accept; } } } filter accept-icmp6-trusted { term accept-neighbor-discovery-trusted { from { next-header icmp6; icmp-type [ router-solicit router-advertisement neighbor-solicit neighbor-advertisement ]; /* ignore ND packets received from off-link senders - RFC4861 11.2 */ hop-limit 255; } then { policer re-protect-1m; count accept-neighbor-discovery-trusted; accept; } } term accept-echo-request-trusted { from { source-prefix-list { mgnt-networks-v6; } next-header icmp6; icmp-type echo-request; } then { policer re-protect-1m; count accept-echo-request-trusted; accept; } } term accept-echo-reply-trusted { from { source-prefix-list { mgnt-networks-v6; } next-header icmp6; icmp-type echo-reply; } then { policer re-protect-1m; count accept-echo-reply-trusted; accept; } } term accept-icmp6-error-messages-trusted { from { source-prefix-list { mgnt-networks-v6; } next-header icmp6; icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ]; } then { policer re-protect-1m; count accept-icmp6-error-messages-trusted; accept; } } } filter accept-icmp6-untrusted { term accept-echo-request-untrusted { from { next-header icmp6; icmp-type echo-request; } then { policer re-protect-1m; count accept-echo-request-untrusted; accept; } } term accept-echo-reply-untrusted { from { next-header icmp6; icmp-type echo-reply; } then { policer re-protect-1m; count accept-echo-reply-untrusted; accept; } } term accept-icmp6-error-messages-untrusted { from { next-header icmp6; icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ]; } then { policer re-protect-1m; count accept-icmp6-error-messages-untrusted; accept; } } } filter accept-multi-hop-bfd-v6 { term accept-multi-hop-bfd-v6 { from { source-prefix-list { bgp-neighbors-v6; } destination-prefix-list { router-v6; } next-header udp; source-port 49152-65535; destination-port 4784; } then { count accept-multi-hop-bfd-v6; accept; } } } filter accept-ntp-v6 { term accept-ntp-v6 { from { source-prefix-list { ntp-servers-v6; ntp-peers-v6; } destination-prefix-list { router-v6; } next-header udp; source-port ntp; /* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */ destination-port ntp; } then { policer re-protect-1m; count accept-ntp-v6; accept; } } term accept-ntp-internal-v6 { from { source-prefix-list { loopback-v6; } destination-prefix-list { loopback-v6; } next-header udp; port ntp; } then { count accept-ntp-internal-v6; accept; } } } filter accept-ospf3 { term accept-ospf3 { from { /* RFC5340 2.5 */ source-prefix-list { ipv6-link-local; } /* RFC5340 4.2.1 */ destination-prefix-list { ospfv3; ipv6-link-local; } next-header ospf; } then { count accept-ospf3; accept; } } } filter accept-single-hop-bfd-v6 { term accept-single-hop-bfd-v6 { from { source-prefix-list { router-v6; ipv6-link-local; } destination-prefix-list { router-v6; ipv6-link-local; } next-header udp; source-port 49152-65535; destination-port 3784-3785; /* RFC5881 5 */ hop-limit 255; } then { count accept-single-hop-bfd-v6; accept; } } } filter accept-snmp-v6 { term accept-snmp-v6 { from { source-prefix-list { snmp-client-lists-v6; snmp-community-clients-v6; } destination-prefix-list { router-v6; } next-header udp; destination-port snmp; } then { policer re-protect-20m; count accept-snmp-v6; accept; } } } filter accept-ssh-v6 { term accept-ssh-v6 { from { source-prefix-list { mgnt-networks-v6; } destination-prefix-list { router-v6; } next-header tcp; destination-port ssh; } then { policer re-protect-20m; count accept-ssh-v6; accept; } } } filter accept-traceroute-v6-trusted { term accept-traceroute-udp-v6-trusted { from { destination-prefix-list { router-v6; } source-prefix-list { mgnt-networks-v6; } next-header udp; destination-port 33434-33529; hop-limit 1; } then { policer re-protect-1m; count accept-traceroute-udp-v6-trusted; accept; } } term accept-traceroute-icmp6-trusted { from { destination-prefix-list { router-v6; } source-prefix-list { mgnt-networks-v6; } next-header icmp6; icmp-type echo-request; hop-limit 1; } then { policer re-protect-1m; count accept-traceroute-icmp6-trusted; accept; } } term accept-traceroute-tcp-v6-trusted { from { destination-prefix-list { router-v6; } source-prefix-list { mgnt-networks-v6; } next-header tcp; hop-limit 1; /* default TCP traceroute port only */ destination-port http; } then { policer re-protect-1m; count accept-traceroute-tcp-v6-trusted; accept; } } } filter accept-traceroute-v6-untrusted { term accept-traceroute-udp-v6-untrusted { from { destination-prefix-list { router-v6; } next-header udp; destination-port 33434-33529; hop-limit 1; } then { policer re-protect-1m; count accept-traceroute-udp-v6-untrusted; accept; } } term accept-traceroute-icmp6-untrusted { from { destination-prefix-list { router-v6; } next-header icmp6; icmp-type echo-request; hop-limit 1; } then { policer re-protect-1m; count accept-traceroute-icmp6-untrusted; accept; } } term accept-traceroute-tcp-v6-untrusted { from { destination-prefix-list { router-v6; } next-header tcp; hop-limit 1; /* default TCP traceroute port only */ destination-port http; } then { policer re-protect-1m; count accept-traceroute-tcp-v6-untrusted; accept; } } } filter accept-vrrpv3-v6 { term accept-vrrpv3-v6 { from { /* RFC5798 5.1.2.1 */ source-prefix-list { ipv6-link-local; } /* RFC5798 5.1.2.2 */ destination-prefix-list { vrrpv3-v6; } next-header vrrp; /* RFC5798 5.1.2.3 */ hop-limit 255; } then { count accept-vrrpv3-v6; accept; } } } filter discard-all-v6 { term discard-all-v6 { then { count discard-all-v6; log; discard; } } } filter discard-extension-headers { term discard-extension-headers { from { next-header-except [ icmp6 ospf tcp udp vrrp ]; } then { count discard-extension-headers; discard; } } } } policer re-protect-1m { if-exceeding { bandwidth-limit 1m; burst-size-limit 625k; } then discard; } policer re-protect-20m { if-exceeding { bandwidth-limit 20m; burst-size-limit 625k; } then discard; } }
Previous page: MX Loopback0 Filter Notes
Next page: MX104 Lo0 Filter Example