Juniper is also big on naming things, in JUNOS everything has a name, the Filter Lists have names, the terms in the Filter Lists have names, and even the address’s you are matching on have names. This is a big concept in JUNOS because it allows you to write snippets of Filter-Lists and use them for many different Filter Lists. JUNOS also supports grouping Filter Lists and applying an entire group of filter to an interface. If you apply Filter groups to a JUNOS interface they individual Filter Lists are evaluated in order sequentially.

To facilitate out discussion of Filter-Lists let’s take a look at a standard anti-spoofing access list which would be applied to most edge routers. First let’s talk about what a vanilla anti-spoofing ACL should contain! A standard ACL at a minimum should block all RFC-1918 address space from the internet, it should also block undesirable types of ICMP traffic, and depending on the setup should block packets with illegal combinations of TCP flags set, for example packets with the SYN-FIN flag set at the same time or FIN-URG-PSH or URG-ACK-PSH-RST-SYN-FIN at the same time. All of these combinations of TCP flags are illegal and should never be together as part of a legitimate packet. So without further ado lets talk about Filter Lists.
Filter Lists are defined under the Firewall section of the JUNOS configuration. Prefix Lists which are groups of networks, IP address ranges, or single hosts such as 1.1.1.1/32 are defined in these lists. These lists can later be used in as many Filter Lists as you define.

Below I will show you the actual Filter Lists as it looks in the configuration and some of the commands to create the list. For brevity I have opted to only show some of the commands used in creating the list as they are basically repetitive. The important thing to remember is that like all Access-Lists the terms in the Filter List are evaluated from top to bottom so it is important that the last term be an allow all statement otherwise the anti-spoofing filter will block all communication even legitimate communication.

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 192.168.0.0/16

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 172.16.0.0/12

[edit]
john#set policy-options prefix-list rfc1918-prefix-list 10.0.0.0/8

[edit]
john# edit firewall

[edit firewall]
john# edit filter anti-spoofing

[edit firewall filter anti-spoofing]
john# edit term block-rfc1918

[edit firewall filter anti-spoofing term block-rfc1918]
john# set from source-prefix-list rfc1918-prefix-list

[edit firewall filter anti-spoofing term block-rfc1918]
john# set then log discard

[edit]
john# show policy-options

prefix-list rfc1918-prefix-list {
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
}

[edit firewall]
john# show

filter anti-spoofing {
    term block-rfc1918 {
        from {
            source-prefix-list {
                rfc1918-prefix-list; ## 'rfc1918-prefix-list' is not defined
            }
        }
        then {
            log;
            discard;
        }
    }
    term block-fin-urg-psh {
        from {
            protocol tcp;
            tcp-flags fin,psh,urg;
        }
        then {
            log;
            discard;
        }
    }
    term block-syn-fin {
        from {
            protocol tcp;
            tcp-flags fin,syn;
        }
        then {
            log;
            discard;
        }
    }
    term block-urg-ack-syn-fin-rst-psh {
        from {
            protocol tcp;
            tcp-flags urg,ack,psh,rst,fin,syn;
        }
        then {
            log;
            discard;
        }
    }
    term block-icmp {
        from {
            protocol icmp;
            icmp-type-except echo-reply,unreachable,source-quench,time-exceeded;
        }
        then {
            log;
            discard;
        }
    }
    term accept-all {
        then accept;
    }
}

Remember to apply the Filter-List to the interface with the following command:

[edit]
john#set interfaces fe-0/0/0.0 family inet filter input anti-spoofing

Here is a related Article on ACL’s

I also discovered that Dove-net and Fido-net are still alive and well, and there are a great many BBS’s connected all over the world. If the internet is a vast global city such as Coruscant (in Star Wars) then BBS’s and protocols such as telnet and gopher are its seedy underworld. An eclectic grouping of forgotten protocols running on forgotten systems, used by a hand full of lost souls who still cling to the web as it was. I had allot of fun setting up this BBS and I would like to use it in some way as a fun addition to part of my site.

In the spirit of the above and to old memories and a simpler if not better time I want to announce that telnet://bbs.techinvasion.net is open for business, with door games and all. Accounts are free, and I have even put up a forum for people to request firmware and various other things that they might need for a networking project. I hope everyone has as much fun using the system as I had creating it and I hope to see everyone in a session of Trade Wars.