Scribd
Upload
28 views7 pages

Firewall Filter

This document contains configuration settings for a firewall filter that defines rules for packet filtering and policing of different protocols including ICMP, TCP, UDP, BGP, OSPF and others. Limits are set for bandwidth and burst size for different protocols.

Uploaded by

Ahmad Samara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
28 views7 pages

Firewall Filter

This document contains configuration settings for a firewall filter that defines rules for packet filtering and policing of different protocols including ICMP, TCP, UDP, BGP, OSPF and others. Limits are set for bandwidth and burst size for different protocols.

Uploaded by

Ahmad Samara
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 7

set firewall family inet filter FF-RE-PROTECT-v4 term FIRST-FRAG-DROP from

fragment-offset 0

set firewall family inet filter FF-RE-PROTECT-v4 term FIRST-FRAG-DROP from


fragment-flags more-fragments

set firewall family inet filter FF-RE-PROTECT-v4 term FIRST-FRAG-DROP then discard

set firewall family inet filter FF-RE-PROTECT-v4 term NEXT-FRAG-DROP from


fragment-offset-except 0

set firewall family inet filter FF-RE-PROTECT-v4 term NEXT-FRAG-DROP then discard

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from source-prefix-list PR-BGP-NEIGHBORS except

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from source-prefix-list PR-BGP-VRF-NEIGHBORS except

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from source-prefix-list PR-LDP-PREFIXES except

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from source-prefix-list PR-SSH-CLIENTS except

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from source-prefix-list PR-SSH-DESTINATIONS except

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from source-prefix-list PR-TACPLUS-SERVER except

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from protocol tcp

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


from tcp-flags "(syn & !ack) | fin | rst"

set firewall family inet filter FF-RE-PROTECT-v4 term TCP-DOS-PREVENTION-DSC


then discard

set firewall family inet filter FF-RE-PROTECT-v4 term ICMP-POLICE from protocol icmp

set firewall family inet filter FF-RE-PROTECT-v4 term ICMP-POLICE from icmp-type
echo-request

set firewall family inet filter FF-RE-PROTECT-v4 term ICMP-POLICE from icmp-type
echo-reply

set firewall family inet filter FF-RE-PROTECT-v4 term ICMP-POLICE from icmp-type
unreachable

set firewall family inet filter FF-RE-PROTECT-v4 term ICMP-POLICE from icmp-type
time-exceeded

set firewall family inet filter FF-RE-PROTECT-v4 term ICMP-POLICE then policer PC-
ICMP

set firewall family inet filter FF-RE-PROTECT-v4 term ICMP-POLICE then accept

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC from source-prefix-list
PR-BFD-NEIGHBORS

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC from protocol udp

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC from port 3784

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC from port 3785

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC from port 4784

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC from port 6784

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC from port 7784

set firewall family inet filter FF-RE-PROTECT-v4 term BFD-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-ACC from source-prefix-list
PR-BGP-NEIGHBORS

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-ACC from protocol tcp

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-ACC from port bgp

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-VRF-ACC from source-prefix-
list PR-BGP-VRF-NEIGHBORS

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-VRF-ACC from protocol tcp

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-VRF-ACC from port bgp

set firewall family inet filter FF-RE-PROTECT-v4 term BGP-VRF-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term OSPF-ACC from source-prefix-list
PR-OSPF-NEIGHBORS

set firewall family inet filter FF-RE-PROTECT-v4 term OSPF-ACC from protocol ospf

set firewall family inet filter FF-RE-PROTECT-v4 term OSPF-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term OSPF-VRF-ACC from source-
prefix-list PR-OSPF-VRF-NEIGHBORS

set firewall family inet filter FF-RE-PROTECT-v4 term OSPF-VRF-ACC from protocol ospf
set firewall family inet filter FF-RE-PROTECT-v4 term OSPF-VRF-ACC from ttl 1

set firewall family inet filter FF-RE-PROTECT-v4 term OSPF-VRF-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term SNMP-ACC from source-prefix-list
PR-SNMP-SERVERS

set firewall family inet filter FF-RE-PROTECT-v4 term SNMP-ACC from protocol udp

set firewall family inet filter FF-RE-PROTECT-v4 term SNMP-ACC from destination-port
snmp

set firewall family inet filter FF-RE-PROTECT-v4 term SNMP-ACC then policer PC-SNMP

set firewall family inet filter FF-RE-PROTECT-v4 term SNMP-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term RSVP-ACC from source-prefix-list
PR-LDP-PREFIXES

set firewall family inet filter FF-RE-PROTECT-v4 term RSVP-ACC from protocol rsvp

set firewall family inet filter FF-RE-PROTECT-v4 term RSVP-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term LDP-ACC from source-prefix-list
PR-LDP-PREFIXES

set firewall family inet filter FF-RE-PROTECT-v4 term LDP-ACC from protocol tcp

set firewall family inet filter FF-RE-PROTECT-v4 term LDP-ACC from protocol udp

set firewall family inet filter FF-RE-PROTECT-v4 term LDP-ACC from port ldp

set firewall family inet filter FF-RE-PROTECT-v4 term LDP-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term NTP-ACC from source-prefix-list
PR-NTP-SERVERS

set firewall family inet filter FF-RE-PROTECT-v4 term NTP-ACC from protocol udp

set firewall family inet filter FF-RE-PROTECT-v4 term NTP-ACC from port ntp

set firewall family inet filter FF-RE-PROTECT-v4 term NTP-ACC then policer PC-NTP

set firewall family inet filter FF-RE-PROTECT-v4 term NTP-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term SSH-ACC from source-prefix-list
PR-SSH-CLIENTS

set firewall family inet filter FF-RE-PROTECT-v4 term SSH-ACC from protocol tcp

set firewall family inet filter FF-RE-PROTECT-v4 term SSH-ACC from destination-port ssh

set firewall family inet filter FF-RE-PROTECT-v4 term SSH-ACC then accept
set firewall family inet filter FF-RE-PROTECT-v4 term IGMP-ACC from protocol igmp

set firewall family inet filter FF-RE-PROTECT-v4 term IGMP-ACC then policer PC-IGMP

set firewall family inet filter FF-RE-PROTECT-v4 term IGMP-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term PIM-ACC from protocol pim

set firewall family inet filter FF-RE-PROTECT-v4 term PIM-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term TACPLUS-ACC from source-
prefix-list PR-TACPLUS-SERVER

set firewall family inet filter FF-RE-PROTECT-v4 term TACPLUS-ACC from protocol tcp

set firewall family inet filter FF-RE-PROTECT-v4 term TACPLUS-ACC from port 49

set firewall family inet filter FF-RE-PROTECT-v4 term TACPLUS-ACC then policer PC-
TACPLUS

set firewall family inet filter FF-RE-PROTECT-v4 term TACPLUS-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC from source-prefix-list
PR-TACPLUS-SERVER

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC from protocol udp

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC from port 1813

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC from port 1812

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC from port 1645

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC from port 1646

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC then policer PC-
TACPLUS

set firewall family inet filter FF-RE-PROTECT-v4 term Radius-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term TRACEROUTE-ACC from protocol
udp

set firewall family inet filter FF-RE-PROTECT-v4 term TRACEROUTE-ACC from


destination-port 33434-33523

set firewall family inet filter FF-RE-PROTECT-v4 term TRACEROUTE-ACC then policer
PC-TRACEROUTE

set firewall family inet filter FF-RE-PROTECT-v4 term TRACEROUTE-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC from source-
address 0.0.0.0/32
set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC from source-
address 192.168.0.0/16

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC from destination-
address 255.255.255.255/32

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC from protocol
udp

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC from source-port
68

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC then count dhcp-
client-accept

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC then policer PC-
DHCP

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-client-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-ACC from prefix-list PR-
DHCP-SERVERS

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-ACC from protocol udp

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-ACC from port bootps

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-ACC from port 67

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-ACC from port 68

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-ACC then policer PC-DHCP

set firewall family inet filter FF-RE-PROTECT-v4 term DHCP-ACC then accept

set firewall family inet filter FF-RE-PROTECT-v4 term ELSE then log

set firewall family inet filter FF-RE-PROTECT-v4 term ELSE then discard

set firewall policer PC-DHCP if-exceeding bandwidth-limit 1m

set firewall policer PC-DHCP if-exceeding burst-size-limit 15k

set firewall policer PC-DHCP then discard

set firewall policer PC-ICMP if-exceeding bandwidth-limit 1m

set firewall policer PC-ICMP if-exceeding burst-size-limit 15k

set firewall policer PC-ICMP then discard

set firewall policer PC-IGMP if-exceeding bandwidth-limit 1m


set firewall policer PC-IGMP if-exceeding burst-size-limit 15k

set firewall policer PC-IGMP then discard

set firewall policer PC-NTP if-exceeding bandwidth-limit 500k

set firewall policer PC-NTP if-exceeding burst-size-limit 15k

set firewall policer PC-NTP then discard

set firewall policer PC-PIM if-exceeding bandwidth-limit 1m

set firewall policer PC-PIM if-exceeding burst-size-limit 15k

set firewall policer PC-PIM then discard

set firewall policer PC-SNMP if-exceeding bandwidth-limit 1m

set firewall policer PC-SNMP if-exceeding burst-size-limit 15k

set firewall policer PC-SNMP then discard

set firewall policer PC-TACPLUS if-exceeding bandwidth-limit 1m

set firewall policer PC-TACPLUS if-exceeding burst-size-limit 15k

set firewall policer PC-TACPLUS then discard

set firewall policer PC-TRACEROUTE if-exceeding bandwidth-limit 1m

set firewall policer PC-TRACEROUTE if-exceeding burst-size-limit 15k

set firewall policer PC-TRACEROUTE then discard

set policy-options prefix-list PR-BGP-NEIGHBORS apply-path "protocols bgp group <*>


neighbor <*>"

set policy-options prefix-list PR-BGP-VRF-NEIGHBORS apply-path "routing-instances <*>


protocols bgp group <*> neighbor <*>"

set policy-options prefix-list PR-LDP-PREFIXES 10.0.0.0/8

set policy-options prefix-list PR-SSH-CLIENTS 10.0.0.0/8

set policy-options prefix-list PR-SSH-CLIENTS 172.0.0.0/8

set policy-options prefix-list PR-SSH-CLIENTS 192.0.0.0/8

set policy-options prefix-list PR-SSH-DESTINATIONS 10.0.0.0/8

set policy-options prefix-list PR-SSH-DESTINATIONS 172.0.0.0/8


set policy-options prefix-list PR-SSH-DESTINATIONS 192.0.0.0/8

set policy-options prefix-list PR-TACPLUS-SERVER 10.0.0.0/8

set policy-options prefix-list PR-TACPLUS-SERVER 172.0.0.0/8

set policy-options prefix-list PR-TACPLUS-SERVER 192.0.0.0/8

set policy-options prefix-list PR-BFD-NEIGHBORS 10.0.0.0/8

set policy-options prefix-list PR-OSPF-NEIGHBORS 10.0.0.0/8

set policy-options prefix-list PR-OSPF-VRF-NEIGHBORS 10.0.0.0/8

set policy-options prefix-list PR-SNMP-SERVERS 10.0.0.0/8

set policy-options prefix-list PR-SNMP-SERVERS 172.0.0.0/8

set policy-options prefix-list PR-SNMP-SERVERS 192.0.0.0/8

set policy-options prefix-list PR-NTP-SERVERS 172.0.0.0/8

set policy-options prefix-list PR-DHCP-SERVERS 1.1.1.0/24

set interfaces lo0 apply-groups GR-FF-RE-PROTECT

set groups GR-FF-RE-PROTECT interfaces lo0 unit <*> family inet filter input FF-RE-
PROTECT-v4

You might also like