Date created: Saturday, June 15, 2024 1:04:49 PM. Last modified: Saturday, June 15, 2024 1:07:03 PM
MX Loopback0 Filter - From j-nsp mailing list
Reference: https://gist.github.com/tonusoo/efd9ab4fcf2bb5a45d34d5af5e3f3e0c
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input-list [ discard-ip-options discard-frags accept-single-hop-bfd-v4 accept-multi-hop-bfd-v4 accept-bgp-v4 accept-ospf2 accept-vrrpv3-v4 accept-established-v4 accept-common-services-v4 discard-all-v4 ];
}
}
family inet6 {
filter {
input-list [ discard-extension-headers accept-single-hop-bfd-v6 accept-multi-hop-bfd-v6 accept-bgp-v6 accept-ospf3 accept-vrrpv3-v6 accept-established-v6 accept-common-services-v6 discard-all-v6 ];
}
}
}
}
}
policy-options {
prefix-list ntp-servers-v4 {
apply-path "system ntp server <*.*.*.*>";
}
prefix-list ntp-servers-v6 {
apply-path "system ntp server <*:*>";
}
prefix-list ntp-peers-v4 {
apply-path "system ntp peer <*.*.*.*>";
}
prefix-list ntp-peers-v6 {
apply-path "system ntp peer <*:*>";
}
prefix-list dns-servers-v4 {
apply-path "system name-server <*.*.*.*>";
}
prefix-list dns-servers-v6 {
apply-path "system name-server <*:*>";
}
prefix-list snmp-client-lists-v4 {
apply-path "snmp client-list <*> <*.*.*.*>";
}
prefix-list snmp-client-lists-v6 {
apply-path "snmp client-list <*> <*:*>";
}
prefix-list snmp-community-clients-v4 {
apply-path "snmp community <*> clients <*.*.*.*>";
}
prefix-list snmp-community-clients-v6 {
apply-path "snmp community <*> clients <*:*>";
}
prefix-list mgnt-networks-v4 {
10.5.5.0/24;
}
prefix-list mgnt-networks-v6 {
fd1f:1605:8b9d:99::/64;
}
prefix-list bgp-neighbors-v4 {
apply-path "protocols bgp group <*-v4> neighbor <*.*.*.*>";
}
prefix-list bgp-neighbors-v6 {
apply-path "protocols bgp group <*-v6> neighbor <*:*>";
}
prefix-list router-v6 {
apply-path "interfaces <*> unit <*> family inet6 address <*>";
}
prefix-list ipv6-link-local {
fe80::/64;
}
prefix-list vrrpv3-v4 {
224.0.0.18/32;
}
prefix-list vrrpv3-v6 {
ff02::12/128;
}
prefix-list ospfv3 {
/* ALLSPFRouters */
ff02::5/128;
/* ALLDRouters */
ff02::6/128;
}
prefix-list loopback-v6 {
::1/128;
apply-path "interfaces lo0 unit <*> family inet6 address <*>";
}
prefix-list router-v4 {
apply-path "interfaces <*> unit <*> family inet address <*>";
}
prefix-list ospfv2 {
/* ALLSPFRouters */
224.0.0.5/32;
/* ALLDRouters */
224.0.0.6/32;
}
prefix-list loopback-v4 {
127.0.0.1/32;
apply-path "interfaces lo0 unit <*> family inet address <*>";
}
}
firewall {
family inet {
filter accept-bgp-v4 {
term accept-bgp-v4 {
from {
source-prefix-list {
bgp-neighbors-v4;
}
destination-prefix-list {
router-v4;
}
protocol tcp;
destination-port bgp;
}
then {
count accept-bgp-v4;
accept;
}
}
}
filter accept-common-services-v4 {
/* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */
term accept-traceroute-v4-trusted {
filter accept-traceroute-v4-trusted;
}
term accept-traceroute-v4-untrusted {
filter accept-traceroute-v4-untrusted;
}
/* ensures that ICMP traffic from trusted networks does not share a policer with ICMP traffic from untrusted networks */
term accept-icmp-trusted {
filter accept-icmp-trusted;
}
term accept-icmp-untrusted {
filter accept-icmp-untrusted;
}
term accept-snmp-v4 {
filter accept-snmp-v4;
}
term accept-ntp-v4 {
filter accept-ntp-v4;
}
term accept-dns-v4 {
filter accept-dns-v4;
}
term accept-ssh-v4 {
filter accept-ssh-v4;
}
}
filter accept-dns-v4 {
term accept-dns-v4 {
from {
source-prefix-list {
dns-servers-v4;
}
destination-prefix-list {
router-v4;
}
protocol [ udp tcp ];
source-port domain;
destination-port 49160-65535;
}
then {
policer re-protect-1m;
count accept-dns-v4;
accept;
}
}
}
filter accept-established-v4 {
/* allows router to establish SSH sessions to management network */
term accept-established-ssh-v4 {
from {
source-prefix-list {
mgnt-networks-v4;
}
destination-prefix-list {
router-v4;
}
protocol tcp;
source-port ssh;
destination-port 49160-65535;
tcp-established;
}
then {
policer re-protect-20m;
count accept-established-ssh-v4;
accept;
}
}
/* allows router to establish BGP sessions with BGP neighbors */
term accept-established-bgp-v4 {
from {
source-prefix-list {
bgp-neighbors-v4;
}
destination-prefix-list {
router-v4;
}
protocol tcp;
source-port bgp;
destination-port 49160-65535;
tcp-established;
}
then {
count accept-established-bgp-v4;
accept;
}
}
}
filter accept-icmp-trusted {
term accept-echo-request-trusted {
from {
source-prefix-list {
mgnt-networks-v4;
}
protocol icmp;
icmp-type echo-request;
}
then {
policer re-protect-1m;
count accept-echo-request-trusted;
accept;
}
}
term accept-echo-reply-trusted {
from {
source-prefix-list {
mgnt-networks-v4;
}
protocol icmp;
icmp-type echo-reply;
}
then {
policer re-protect-1m;
count accept-echo-reply-trusted;
accept;
}
}
term accept-icmp-error-messages-trusted {
from {
source-prefix-list {
mgnt-networks-v4;
}
protocol icmp;
icmp-type [ unreachable time-exceeded parameter-problem ];
}
then {
policer re-protect-1m;
count accept-icmp-error-messages-trusted;
accept;
}
}
}
filter accept-icmp-untrusted {
term accept-echo-request-untrusted {
from {
protocol icmp;
icmp-type echo-request;
}
then {
policer re-protect-1m;
count accept-echo-request-untrusted;
accept;
}
}
term accept-echo-reply-untrusted {
from {
protocol icmp;
icmp-type echo-reply;
}
then {
policer re-protect-1m;
count accept-echo-reply-untrusted;
accept;
}
}
term accept-icmp-error-messages-untrusted {
from {
protocol icmp;
icmp-type [ unreachable time-exceeded parameter-problem ];
}
then {
policer re-protect-1m;
count accept-icmp-error-messages-untrusted;
accept;
}
}
}
filter accept-multi-hop-bfd-v4 {
term accept-multi-hop-bfd-v4 {
from {
source-prefix-list {
bgp-neighbors-v4;
}
destination-prefix-list {
router-v4;
}
protocol udp;
source-port 49152-65535;
destination-port 4784;
}
then {
count accept-multi-hop-bfd-v4;
accept;
}
}
}
filter accept-ntp-v4 {
term accept-ntp-v4 {
from {
source-prefix-list {
ntp-servers-v4;
ntp-peers-v4;
}
destination-prefix-list {
router-v4;
}
protocol udp;
source-port ntp;
/* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */
destination-port ntp;
}
then {
policer re-protect-1m;
count accept-ntp-v4;
accept;
}
}
/* needed for "show ntp *" commands */
term accept-ntp-internal-v4 {
from {
source-prefix-list {
loopback-v4;
}
destination-prefix-list {
loopback-v4;
}
protocol udp;
port ntp;
}
then {
count accept-ntp-internal-v4;
accept;
}
}
}
filter accept-ospf2 {
term accept-ospf2 {
from {
source-prefix-list {
router-v4;
}
destination-prefix-list {
/* OSPF Database Description packets are sent to the unicast addresses if OSPF interface type is "LAN" */
router-v4;
ospfv2;
}
protocol ospf;
}
then {
count accept-ospf2;
accept;
}
}
}
filter accept-single-hop-bfd-v4 {
term accept-single-hop-bfd-v4 {
from {
source-prefix-list {
router-v4;
}
destination-prefix-list {
router-v4;
}
protocol udp;
source-port 49152-65535;
destination-port 3784-3785;
/* RFC5881 5 */
ttl 255;
}
then {
count accept-single-hop-bfd-v4;
accept;
}
}
}
filter accept-snmp-v4 {
term accept-snmp-v4 {
from {
source-prefix-list {
snmp-client-lists-v4;
snmp-community-clients-v4;
}
destination-prefix-list {
router-v4;
}
protocol udp;
destination-port snmp;
}
then {
policer re-protect-20m;
count accept-snmp-v4;
accept;
}
}
}
filter accept-ssh-v4 {
term accept-ssh-v4 {
from {
source-prefix-list {
mgnt-networks-v4;
}
destination-prefix-list {
router-v4;
}
protocol tcp;
destination-port ssh;
}
then {
policer re-protect-20m;
count accept-ssh-v4;
accept;
}
}
}
filter accept-traceroute-v4-trusted {
term accept-traceroute-udp-v4-trusted {
from {
destination-prefix-list {
router-v4;
}
source-prefix-list {
mgnt-networks-v4;
}
protocol udp;
ttl 1;
destination-port 33434-33529;
}
then {
policer re-protect-1m;
count accept-traceroute-udp-v4-trusted;
accept;
}
}
term accept-traceroute-icmp-trusted {
from {
destination-prefix-list {
router-v4;
}
source-prefix-list {
mgnt-networks-v4;
}
protocol icmp;
ttl 1;
icmp-type echo-request;
}
then {
policer re-protect-1m;
count accept-traceroute-icmp-trusted;
accept;
}
}
term accept-traceroute-tcp-v4-trusted {
from {
destination-prefix-list {
router-v4;
}
source-prefix-list {
mgnt-networks-v4;
}
protocol tcp;
ttl 1;
/* default TCP traceroute port only */
destination-port http;
}
then {
policer re-protect-1m;
count accept-traceroute-tcp-v4-trusted;
accept;
}
}
}
filter accept-traceroute-v4-untrusted {
term accept-traceroute-udp-v4-untrusted {
from {
destination-prefix-list {
router-v4;
}
protocol udp;
ttl 1;
destination-port 33434-33529;
}
then {
policer re-protect-1m;
count accept-traceroute-udp-v4-untrusted;
accept;
}
}
term accept-traceroute-icmp-untrusted {
from {
destination-prefix-list {
router-v4;
}
protocol icmp;
ttl 1;
icmp-type echo-request;
}
then {
policer re-protect-1m;
count accept-traceroute-icmp-untrusted;
accept;
}
}
term accept-traceroute-tcp-v4-untrusted {
from {
destination-prefix-list {
router-v4;
}
protocol tcp;
ttl 1;
/* default TCP traceroute port only */
destination-port http;
}
then {
policer re-protect-1m;
count accept-traceroute-tcp-v4-untrusted;
accept;
}
}
}
filter accept-vrrpv3-v4 {
term accept-vrrpv3-v4 {
from {
source-prefix-list {
router-v4;
}
destination-prefix-list {
vrrpv3-v4;
}
protocol vrrp;
/* RFC5798 5.1.1.3 */
ttl 255;
}
then {
count accept-vrrpv3-v4;
accept;
}
}
}
filter discard-all-v4 {
term discard-all-v4 {
then {
count discard-all-v4;
log;
discard;
}
}
}
filter discard-frags {
term deny-first-frags {
from {
first-fragment;
}
then {
count deny-first-frags;
discard;
}
}
term deny-other-frags {
from {
is-fragment;
}
then {
count deny-other-frags;
discard;
}
}
}
/* On modern Trio platforms, the filter below will discard both the transit and RE-addressed packets with IP options header field - KB30719 */
filter discard-ip-options {
term discard-ip-options {
from {
ip-options any;
}
then {
count discard-ip-options;
discard;
}
}
}
}
family inet6 {
filter accept-bgp-v6 {
term accept-bgp-v6 {
from {
source-prefix-list {
bgp-neighbors-v6;
}
destination-prefix-list {
router-v6;
}
next-header tcp;
destination-port bgp;
}
then {
count accept-bgp-v6;
accept;
}
}
}
filter accept-common-services-v6 {
/* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */
term accept-traceroute-v6-trusted {
filter accept-traceroute-v6-trusted;
}
term accept-traceroute-v6-untrusted {
filter accept-traceroute-v6-untrusted;
}
/* ensures that ICMP6 traffic from trusted networks does not share a policer with ICMP6 traffic from untrusted networks */
term accept-icmp6-trusted {
filter accept-icmp6-trusted;
}
term accept-icmp6-untrusted {
filter accept-icmp6-untrusted;
}
term accept-snmp-v6 {
filter accept-snmp-v6;
}
term accept-ntp-v6 {
filter accept-ntp-v6;
}
term accept-dns-v6 {
filter accept-dns-v6;
}
term accept-ssh-v6 {
filter accept-ssh-v6;
}
}
filter accept-dns-v6 {
term accept-dns-v6 {
from {
source-prefix-list {
dns-servers-v6;
}
destination-prefix-list {
router-v6;
}
next-header [ udp tcp ];
source-port domain;
destination-port 49160-65535;
}
then {
policer re-protect-1m;
count accept-dns-v6;
accept;
}
}
}
filter accept-established-v6 {
/* allows router to establish SSH sessions to management network */
term accept-established-ssh-v6 {
from {
source-prefix-list {
mgnt-networks-v6;
}
destination-prefix-list {
router-v6;
}
next-header tcp;
source-port ssh;
destination-port 49160-65535;
tcp-established;
}
then {
policer re-protect-20m;
count accept-established-ssh-v6;
accept;
}
}
/* allows router to establish BGP sessions with BGP neighbors */
term accept-established-bgp-v6 {
from {
source-prefix-list {
bgp-neighbors-v6;
}
destination-prefix-list {
router-v6;
}
next-header tcp;
source-port bgp;
destination-port 49160-65535;
tcp-established;
}
then {
count accept-established-bgp-v6;
accept;
}
}
}
filter accept-icmp6-trusted {
term accept-neighbor-discovery-trusted {
from {
next-header icmp6;
icmp-type [ router-solicit router-advertisement neighbor-solicit neighbor-advertisement ];
/* ignore ND packets received from off-link senders - RFC4861 11.2 */
hop-limit 255;
}
then {
policer re-protect-1m;
count accept-neighbor-discovery-trusted;
accept;
}
}
term accept-echo-request-trusted {
from {
source-prefix-list {
mgnt-networks-v6;
}
next-header icmp6;
icmp-type echo-request;
}
then {
policer re-protect-1m;
count accept-echo-request-trusted;
accept;
}
}
term accept-echo-reply-trusted {
from {
source-prefix-list {
mgnt-networks-v6;
}
next-header icmp6;
icmp-type echo-reply;
}
then {
policer re-protect-1m;
count accept-echo-reply-trusted;
accept;
}
}
term accept-icmp6-error-messages-trusted {
from {
source-prefix-list {
mgnt-networks-v6;
}
next-header icmp6;
icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ];
}
then {
policer re-protect-1m;
count accept-icmp6-error-messages-trusted;
accept;
}
}
}
filter accept-icmp6-untrusted {
term accept-echo-request-untrusted {
from {
next-header icmp6;
icmp-type echo-request;
}
then {
policer re-protect-1m;
count accept-echo-request-untrusted;
accept;
}
}
term accept-echo-reply-untrusted {
from {
next-header icmp6;
icmp-type echo-reply;
}
then {
policer re-protect-1m;
count accept-echo-reply-untrusted;
accept;
}
}
term accept-icmp6-error-messages-untrusted {
from {
next-header icmp6;
icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ];
}
then {
policer re-protect-1m;
count accept-icmp6-error-messages-untrusted;
accept;
}
}
}
filter accept-multi-hop-bfd-v6 {
term accept-multi-hop-bfd-v6 {
from {
source-prefix-list {
bgp-neighbors-v6;
}
destination-prefix-list {
router-v6;
}
next-header udp;
source-port 49152-65535;
destination-port 4784;
}
then {
count accept-multi-hop-bfd-v6;
accept;
}
}
}
filter accept-ntp-v6 {
term accept-ntp-v6 {
from {
source-prefix-list {
ntp-servers-v6;
ntp-peers-v6;
}
destination-prefix-list {
router-v6;
}
next-header udp;
source-port ntp;
/* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */
destination-port ntp;
}
then {
policer re-protect-1m;
count accept-ntp-v6;
accept;
}
}
term accept-ntp-internal-v6 {
from {
source-prefix-list {
loopback-v6;
}
destination-prefix-list {
loopback-v6;
}
next-header udp;
port ntp;
}
then {
count accept-ntp-internal-v6;
accept;
}
}
}
filter accept-ospf3 {
term accept-ospf3 {
from {
/* RFC5340 2.5 */
source-prefix-list {
ipv6-link-local;
}
/* RFC5340 4.2.1 */
destination-prefix-list {
ospfv3;
ipv6-link-local;
}
next-header ospf;
}
then {
count accept-ospf3;
accept;
}
}
}
filter accept-single-hop-bfd-v6 {
term accept-single-hop-bfd-v6 {
from {
source-prefix-list {
router-v6;
ipv6-link-local;
}
destination-prefix-list {
router-v6;
ipv6-link-local;
}
next-header udp;
source-port 49152-65535;
destination-port 3784-3785;
/* RFC5881 5 */
hop-limit 255;
}
then {
count accept-single-hop-bfd-v6;
accept;
}
}
}
filter accept-snmp-v6 {
term accept-snmp-v6 {
from {
source-prefix-list {
snmp-client-lists-v6;
snmp-community-clients-v6;
}
destination-prefix-list {
router-v6;
}
next-header udp;
destination-port snmp;
}
then {
policer re-protect-20m;
count accept-snmp-v6;
accept;
}
}
}
filter accept-ssh-v6 {
term accept-ssh-v6 {
from {
source-prefix-list {
mgnt-networks-v6;
}
destination-prefix-list {
router-v6;
}
next-header tcp;
destination-port ssh;
}
then {
policer re-protect-20m;
count accept-ssh-v6;
accept;
}
}
}
filter accept-traceroute-v6-trusted {
term accept-traceroute-udp-v6-trusted {
from {
destination-prefix-list {
router-v6;
}
source-prefix-list {
mgnt-networks-v6;
}
next-header udp;
destination-port 33434-33529;
hop-limit 1;
}
then {
policer re-protect-1m;
count accept-traceroute-udp-v6-trusted;
accept;
}
}
term accept-traceroute-icmp6-trusted {
from {
destination-prefix-list {
router-v6;
}
source-prefix-list {
mgnt-networks-v6;
}
next-header icmp6;
icmp-type echo-request;
hop-limit 1;
}
then {
policer re-protect-1m;
count accept-traceroute-icmp6-trusted;
accept;
}
}
term accept-traceroute-tcp-v6-trusted {
from {
destination-prefix-list {
router-v6;
}
source-prefix-list {
mgnt-networks-v6;
}
next-header tcp;
hop-limit 1;
/* default TCP traceroute port only */
destination-port http;
}
then {
policer re-protect-1m;
count accept-traceroute-tcp-v6-trusted;
accept;
}
}
}
filter accept-traceroute-v6-untrusted {
term accept-traceroute-udp-v6-untrusted {
from {
destination-prefix-list {
router-v6;
}
next-header udp;
destination-port 33434-33529;
hop-limit 1;
}
then {
policer re-protect-1m;
count accept-traceroute-udp-v6-untrusted;
accept;
}
}
term accept-traceroute-icmp6-untrusted {
from {
destination-prefix-list {
router-v6;
}
next-header icmp6;
icmp-type echo-request;
hop-limit 1;
}
then {
policer re-protect-1m;
count accept-traceroute-icmp6-untrusted;
accept;
}
}
term accept-traceroute-tcp-v6-untrusted {
from {
destination-prefix-list {
router-v6;
}
next-header tcp;
hop-limit 1;
/* default TCP traceroute port only */
destination-port http;
}
then {
policer re-protect-1m;
count accept-traceroute-tcp-v6-untrusted;
accept;
}
}
}
filter accept-vrrpv3-v6 {
term accept-vrrpv3-v6 {
from {
/* RFC5798 5.1.2.1 */
source-prefix-list {
ipv6-link-local;
}
/* RFC5798 5.1.2.2 */
destination-prefix-list {
vrrpv3-v6;
}
next-header vrrp;
/* RFC5798 5.1.2.3 */
hop-limit 255;
}
then {
count accept-vrrpv3-v6;
accept;
}
}
}
filter discard-all-v6 {
term discard-all-v6 {
then {
count discard-all-v6;
log;
discard;
}
}
}
filter discard-extension-headers {
term discard-extension-headers {
from {
next-header-except [ icmp6 ospf tcp udp vrrp ];
}
then {
count discard-extension-headers;
discard;
}
}
}
}
policer re-protect-1m {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 625k;
}
then discard;
}
policer re-protect-20m {
if-exceeding {
bandwidth-limit 20m;
burst-size-limit 625k;
}
then discard;
}
} Previous page: MX Loopback0 Filter Notes
Next page: MX104 Lo0 Filter Example