Juniper is also big on naming things, in JUNOS everything has a name, the Filter Lists have names, the terms in the Filter Lists have names, and even the address’s you are matching on have names. This is a big concept in JUNOS because it allows you to write snippets of Filter-Lists and use them for many different Filter Lists. JUNOS also supports grouping Filter Lists and applying an entire group of filter to an interface. If you apply Filter groups to a JUNOS interface they individual Filter Lists are evaluated in order sequentially.

To facilitate out discussion of Filter-Lists let’s take a look at a standard anti-spoofing access list which would be applied to most edge routers. First let’s talk about what a vanilla anti-spoofing ACL should contain! A standard ACL at a minimum should block all RFC-1918 address space from the internet, it should also block undesirable types of ICMP traffic, and depending on the setup should block packets with illegal combinations of TCP flags set, for example packets with the SYN-FIN flag set at the same time or FIN-URG-PSH or URG-ACK-PSH-RST-SYN-FIN at the same time. All of these combinations of TCP flags are illegal and should never be together as part of a legitimate packet. So without further ado lets talk about Filter Lists.
Filter Lists are defined under the Firewall section of the JUNOS configuration. Prefix Lists which are groups of networks, IP address ranges, or single hosts such as 1.1.1.1/32 are defined in these lists. These lists can later be used in as many Filter Lists as you define.

Below I will show you the actual Filter Lists as it looks in the configuration and some of the commands to create the list. For brevity I have opted to only show some of the commands used in creating the list as they are basically repetitive. The important thing to remember is that like all Access-Lists the terms in the Filter List are evaluated from top to bottom so it is important that the last term be an allow all statement otherwise the anti-spoofing filter will block all communication even legitimate communication.

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 192.168.0.0/16

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 172.16.0.0/12

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 10.0.0.0/8

[edit]
john# edit firewall

[edit firewall]
john# edit filter anti-spoofing

[edit firewall filter anti-spoofing]
john# edit term block-rfc1918

[edit firewall filter anti-spoofing term block-rfc1918]
john# set from source-prefix-list rfc1918-prefix-list

[edit firewall filter anti-spoofing term block-rfc1918]
john# set then log discard

[edit]
john# show policy-options

prefix-list rfc1918-prefix-list {
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
}

[edit firewall]
john# show

filter anti-spoofing {
    term block-rfc1918 {
        from {
            source-prefix-list {
                rfc1918-prefix-list; ## 'rfc1918-prefix-list' is not defined
            }
        }
        then {
            log;
            discard;
        }
    }
    term block-fin-urg-psh {
        from {
            protocol tcp;
            tcp-flags fin,psh,urg;
        }
        then {
            log;
            discard;
        }
    }
    term block-syn-fin {
        from {
            protocol tcp;
            tcp-flags fin,syn;
        }
        then {
            log;
            discard;
        }
    }
    term block-urg-ack-syn-fin-rst-psh {
        from {
            protocol tcp;
            tcp-flags urg,ack,psh,rst,fin,syn;
        }
        then {
            log;
            discard;
        }
    }
    term block-icmp {
        from {
            protocol icmp;
            icmp-type-except echo-reply,unreachable,source-quench,time-exceeded;
        }
        then {
            log;
            discard;
        }
    }
    term accept-all {
        then accept;
    }
}

Remember to apply the Filter-List to the interface with the following command:

[edit]
john#set interfaces fe-0/0/0.0 family inet filter input anti-spoofing

Here is a related Article on ACL’s

The access-list thought that these packets were part of an ongoing conversation and allowed them to sneak past. To fix this problem God shook heaven and earth and created reflexive access-lists. With these new and improved protectors of Gods interfaces packets were only allowed through if they matched a rule created for traffic flowing in the other direction. With this new method, return packets would only be allowed through if they matched a dynamic rule created by the original outgoing packet. God set back and looked at his creation and all was as it should be. Then one day applications were created that used dynamic ports for return traffic. For instance a person connects to a server on port 80, and the server responds with a packet on a random port between 45000 and 62000. Since the return packets did not match the originating packets the return packets would be dropped.

To fix this new problem God created CBAC or Content Based Access Control. With this new enhanced type of security found in the Firewall Feature set, traffic is inspected at layer 4 on the way out, and a dynamic access-list is created inbound on the interface to allow the traffic to return. Since CBAC inspects traffic on a higher level of the OSI model it can understand protocols that use dynamic port assignment, it can glean useful information from upper layer protocols that will help it make intelligent state full firewalling decisions and improve security while reducing false positives. You can see how over the years the security that we use has become ever more sophisticated to combat the ever clever internet hacker.

Below I will show you how to use CBAC on your router, Keep in mind that CBAC is part of the firewall feature set so may require additional licensing if your organization has to upgrade the ios. Ip inspect is configured in two areas. The first thing you have to do is create an inspection rule, and define what higher layer protocols you want to inspect. The next thing you have to do is apply the rule in the outbound direction on the interface you want to protect. You must also have either an access-list applied in the inbound direction; the access-list can be blank. When configuring the inspection rule you can choose from a number of protocols to look at. For ip inspect to work and to fix the issue with reflexive access-lists you only have to inspect layer 4 protocols such as tcp and udp. However CBAC supports many higher level protocols such as http, SMTP, real-audio, and other session and presentation, layer protocols.

Here is a config that shows some of the many possible protocols that can be inspected with CBAC. I have listed the two main ones at the top. Another tip, if you have sip phones with private nat’d addresses behind this router and you want them to connect outside you need the ip inspect sip command to translate that properly through nat.

!
ip inspect name cbac-example tcp
ip inspect name cbac-example udp
ip inspect name cbac-example vdolive
ip inspect name cbac-example smtp
ip inspect name cbac-example http
ip inspect name cbac-example rtsp
ip inspect name cbac-example sip
ip inspect name cbac-example skinny
ip inspect name cbac-example tftp
ip inspect name cbac-example ftp
ip audit po max-events 100
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip access-group from_internet in
 ip inspect cbac-example out
 duplex auto
 speed auto
!

Here is a related article on ACL’s.

#ip access-list extended  (name goes here)

The neat thing about named access-lists is that when you do a show access-list command you see number s next to the lines in the acl. This allows you to add or remove lines without deleting the whole access-list.

test#sh ip access-list

extended ip access-list example
	10 permit ip any any
	20 deny tcp any any eq 80
	30 permit udp any any eq 53

Reflexive access-lists allow you to filter connections based on session. Reflexive ACL’s are part of the ip plus feature set and was the first attempt to create a statefull inspection firewall on routers. Before the invention of reflexive access-lists the only way we had to allow stateful return traffic from the internet was by using the establish keyword. The problem with the established keyword is that the router only checks for the ack bit on the packets. The ack bit is set on packets once the 3 way handshake has been completed. the problem with this is that it does not do anything for udp packets since those connections are stateless, and it is very easy for hackers to set the ack bit. To get around this problem Cisco invented the reflexive access-list.

permit tcp any any eq 80 established

Reflexive access-lists are very easy. I have added the code for the access-list below. Basically reflexive access-list are made up of two parts. The first part, is the access-list that filters outbound traffic. This access-list is made up of statements that allow outbound traffic. thekey part here is the reflect statement. What this means is that you want to reflect that packet in another access list.

In my example below I reflected the statements in an access-list called dynamic. Now I created two access-lists. I created an inbound access-list to allow static inbound traffic to my webserver. I created an outbound access-list to allow traffic from my lan to the internet. I told my inbound access-list to check the reflexive entries before blocking traffic using the evaluate command. This is all there is too it. With these simple commands you can commands you can configure a statefull firewall to protect your network from harm. As good as this is though it isn’t perfect. It doesn’t work for application which use dynamic port numbers for return traffic. To solve this problem cisco added layer 4 inspection and refined reflexive access-lists in what they call Content Based Access Control or CBAC. However CBAC is part of the ios fw feature set and is a topic for another time.

interface FastEthernet0/0
 description WAN Interface
 ip address 192.168.0.1 255.255.255.0
 ip access-group internet_in in
 ip access-group lan_out out
 duplex auto
 speed auto
!
!
ip access-list extended internet_in
 remark Internet---->lan traffic
 permit tcp any any eq 80
 permit tcp any any eq 443
 evaluate dynamic
!
!
ip access-list extended lan_out
 remark inside----->internet traffic
 permit tcp any any eq www reflect dynamic
 permit tcp any any eq 443 reflect dynamic
 permit tcp any any eq 22 reflect dynamic
 permit tcp any any eq ftp reflect dynamic
 permit tcp any any eq telnet reflect dynamic
 permit tcp any any eq pop3 reflect dynamic
 permit tcp any any eq nntp reflect dynamic
 permit tcp any any eq smtp reflect dynamic
!
!

Access-lists are used to match traffic and can be applied in either the in or out direction. It is important to note that the direction is from the perspective of the interface. For instance on a switch port “IN” would be coming into the switch or traffic being sent to the switch, whereas “OUT” would be the traffic the switch sends to the device connected to the port. So think of it like this:  OUT means traffic flowing out of the switch, while IN means traffic flowing into the switch. See I knew you would get it, it’s very easy stuff.

There are two basic kinds of access-lists extended and standard. Access-lists over 100 inclusive are extended access lists, while access-lists numbered 99 and less are standard access-lists. Standard access lists can only filter based on ip address, while extended access-lists can filter based on layer 3 protocols such as tcp, udp, gre, and others. They can also filter based on tcp/udp port numbers. Lets take a look at an access list :

access-list 1 permit any any
access-list 2 permit host 127.0.0.1 0.0.0.255  any
access-list 3 deny 10.0.0.0 0.0.0.254  any
access-list (1-99) (permit/deny) (source) (destination)

All of these are standard access-lists, let’s take them apart in detail. The first part is the command “access-list” this is followed by either a “permit/deny” the next entry is the source and can be “any”, it can be a individual ip “host x.x.x.x” or it can be a network “192.168.1.0 0.0.0.255” The last part is a wild card mask which is the opposite of a subnet mask. Remember that standard access-lists can only filter based on source and or destination, but not any other information. If you want to filter on more than source and destination you can choose extended access-lists. Extended access-lists can filter on much more and take a slightly different format.

Access-list 101 permit tcp any any eq 443
Access-list 101 deny udp any any eq 500
Access-list 101 permit gre any any

Lets have a look at some of the possible options that the Cisco IOS gives you to match packets, if you don’t understand all of the options or know how to use them at first, don’t worry. These kind of things look useless or seldom used at first, however as you progress you will make use of most of these options.

#access-list 102 ?

  deny              Specify packets to reject
  dynamic       Specify a DYNAMIC list of PERMITs or DENYs
  permit          Specify packets to forward
  remark        Access list entry comment

!

#access-list 102 permit ?

  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

!

#access-list 102 permit tcp any any ?

  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  

!

#access-list 102 permit tcp any any eq 80 ?

  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  established  Match established connections
  fin          Match on the FIN bit
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  

!

This has been a brief intro to access lists. In the next Installment we will talk a little bit about named access-lists and how they can be used to construct reflexive access lists. Reflexive access-lists can be used to create dynamic entries in an access-list based on some event or matching criteria, and can be really important tool for securing a network. Also named access-lists allow you to easily manage a large access-list more easily by allowing you to change an entry or change the order of the acl without rewriting removing and rewriting the entire access-list.

One last thing…. Access-lists are applied to an interface by using the following command:

#Config t
(config )# Int fastethernet 0/1
(Config int)# Ip access-group in
Or
(Config int)# Ip access-group out