This article describes the options for setting up a filter to prevent outside attacks, and the options for protecting your Routing Engines.
To prevent outside attackers from attempting to gain access to your router, you can apply a filter on your loopback interface that allows specific traffic from trusted IP addresses only.
An example configuration of this is shown below. This is only an example; it can be modified to apply in your network and configuration.
1. Create a prefix list of the IP addresses allowed to access the router:
policy-options { prefix-list Router_Admin { 10.10.10.0/24 10.20.20.0/24; } prefix-list IBGPv6-NEIGHBORS { 2001:DB8:1::/48; } prefix-list EBGPv6-NEIGHBORS { 2001:DB8:100::25/128; 2001:DB8:100::27/128; 2001:DB8:100::29/128; 2001:DB8:100::31/128; } prefix-list RADIUSv6-SERVERS { 2001:DB8:100::9/128; 2001:DB8:100::10/128; } }
2. Create the firewall filter for the options you want to allow:
firewall { family inet { filter PROTECT_RE { term ssh { from { source-prefix-list { Router_Admin; } protocol tcp; destination-port ssh; } then accept; } term snmp { from { source-prefix-list { Router_Admin; } destination-port [ snmptrap snmp ]; } then accept; } term icmp { from { protocol icmp; } then accept; } term vrrp { from { source-prefix-list { Router_Admin; } protocol vrrp; } then accept; } } } family inet6 { filter protect-router-control-plane-v6 { term fragv6 { from { next-header fragment; } then { count frag-v6-discards; log; discard; } } term icmpv6 { from { next-header icmpv6; } then { policer 500kbps; /* ICMP6 packet could be useful, so we just limit the traffic to 500 kbps. This value can be modified depending on your own network scenario, or you can just reject all ICMP6 packets if you do not want them to be passed through at all. */ accept; } } term ospfv3 { from { source-address { FE80::/10; } next-header ospf; } then accept; } term ibgpv6-connect { from { source-prefix-list { IBGPv6-NEIGHBORS; } next-header tcp; destination-port bgp; } then accept; } term ibgpv6-reply { from { source-prefix-list { IBGPv6-NEIGHBORS; } next-header tcp; port bgp; } then accept; } term ebgpv6-connect { from { source-prefix-list { EBGPv6-NEIGHBORS; } next-header tcp; destination-port bgp; } then accept; } term ebgpv6-reply { from { source-prefix-list { EBGPv6-NEIGHBORS; } next-header tcp; port bgp; } then accept; } term dnsv6 { from { source-address { 2001:DB8:100:1::/64; } next-header [ udp tcp ]; port domain; } then accept; } term ntpv6 { from { source-address { 2001:DB8:100:2::/64; } next-header udp; destination-port ntp; } then accept; } term sshv6 { from { source-address { 2001:DB8:100:3::/64; } next-header tcp; destination-port ssh; } then accept; } term snmpv6 { from { source-address { 2001:DB8:100:3::/64; } next-header udp; destination-port snmp; } then accept; } term radiusv6 { from { source-prefix-list { RADIUSv6-SERVERS; } next-header udp; port [ 1812 1813 ]; } then accept; } } } }
3. Apply the firewall filter to the lo0 interface:
interfaces lo0 { unit 0 { family inet { filter { input PROTECT_RE; } family inet6 { filter { input protect-router-control-plane-v6; } } } }
By specifying the prefix list, you can add and remove IP prefixes in one place instead of having to change them in each term in the filter; you can also specify in terms which protocols and ports are allowed.
An implicit deny is set at the end of every firewall filter. In the above example, the incoming traffic is evaluated against each term in order. If there is no match on any of them, the traffic is dropped as an implicit deny.