- JUNOS 9.3 R2.8 – Juniper M7i – RE-850 -
To protect the RE you only allow that sort of traffic that the router needs to function properly, by building a firewall filter that applies on the loopback interface.You should also limit the amount of traffic that’s reaching the routing engine.
set policy-options prefix-list mgmnt-access 192.168.23.0/24
set policy-options prefix-list mgmnt-access 10.20.30.0/24
set policy-options prefix-list ntp-nms-server 192.168.199.111/32
set policy-options prefix-list ntp-nms-server 10.20.100.111/32
set policy-options prefix-list dns-server 192.168.222.33/32
set policy-options prefix-list dns-server 10.99.22.33/32
set policy-options prefix-list core-routers 192.168.5.0/24
set policy-options prefix-list bgp-neighbors 172.16.10.5/32
set firewall policer mgmnt-policer if-exceeding bandwidth-limit 2m
set firewall policer mgmnt-policer if-exceeding burst-size-limit 15k
set firewall policer mgmnt-policer then discard
set firewall policer small-bw-policer if-exceeding bandwidth-limit 1m
set firewall policer small-bw-policer if-exceeding burst-size-limit 15k
set firewall policer small-bw-policer then discard
set firewall policer nms-policer if-exceeding bandwidth-limit 3m
set firewall policer nms-policer if-exceeding burst-size-limit 150k
set firewall policer nms-policer then discard
set firewall policer dns-policer if-exceeding bandwidth-limit 1m
set firewall policer dns-policer if-exceeding burst-size-limit 15k
set firewall policer dns-policer then discard
set firewall policer tcp-policer if-exceeding bandwidth-limit 500k
set firewall policer tcp-policer if-exceeding burst-size-limit 15k
set firewall policer tcp-policer then discard
set firewall policer ntp-policer if-exceeding bandwidth-limit 1m
set firewall policer ntp-policer if-exceeding burst-size-limit 15k
set firewall policer ntp-policer then discard
set firewall filter protect-RE term icmp from protocol icmp
set firewall filter protect-RE term icmp from icmp-type echo-request
set firewall filter protect-RE term icmp from icmp-type echo-reply
set firewall filter protect-RE term icmp from icmp-type unreachable
set firewall filter protect-RE term icmp from icmp-type time-exceeded
set firewall filter protect-RE term icmp then policer small-bw-policer
set firewall filter protect-RE term icmp then accept
set firewall filter protect-RE term tcp-connection from source-prefix-list mgmnt-access
set firewall filter protect-RE term tcp-connection from protocol tcp
set firewall filter protect-RE term tcp-connection from tcp-flags “(syn & !ack) | fin | rst”
set firewall filter protect-RE term tcp-connection then policer tcp-policer
set firewall filter protect-RE term tcp-connection then accept
set firewall filter protect-RE term ssh from source-prefix-list mgmnt-access
set firewall filter protect-RE term ssh from protocol tcp
set firewall filter protect-RE term ssh from port ssh
set firewall filter protect-RE term ssh from port telnet
set firewall filter protect-RE term ssh then policer mgmnt-policer
set firewall filter protect-RE term ssh then accept
set firewall filter protect-RE term nms from source-prefix-list ntp-nms-server
set firewall filter protect-RE term nms from protocol udp
set firewall filter protect-RE term nms from port snmp
set firewall filter protect-RE term nms then policer nms-policer
set firewall filter protect-RE term nms then accept
set firewall filter protect-RE term ntp from source-prefix-list ntp-nms-server
set firewall filter protect-RE term ntp from protocol udp
set firewall filter protect-RE term ntp from port ntp
set firewall filter protect-RE term ntp then policer ntp-policer
set firewall filter protect-RE term ntp then accept
set firewall filter protect-RE term dns from source-prefix-list dns-server
set firewall filter protect-RE term dns from protocol udp
set firewall filter protect-RE term dns from port domain
set firewall filter protect-RE term dns then policer dns-policer
set firewall filter protect-RE term dns then accept
set firewall filter protect-RE term core-ospf from source-prefix-list core-routers
set firewall filter protect-RE term core-ospf from protocol ospf
set firewall filter protect-RE term core-ospf then accept
set firewall filter protect-RE term bgp-intern from source-prefix-list core-routers
set firewall filter protect-RE term bgp-intern protocol tcp
set firewall filter protect-RE term bgp-intern from port bgp
set firewall filter protect-RE term bgp-intern then accept
set firewall filter protect-RE term bgp-extern from source-prefix-list bgp-neighbors
set firewall filter protect-RE term bgp-extern from protocol tcp
set firewall filter protect-RE term bgp-extern from port bgp
set firewall filter protect-RE term bgp-extern then accept
set firewall filter protect-RE term everything-else then log
set firewall filter protect-RE term everything-else then syslog
set firewall filter protect-RE term everything-else then discard
set interfaces lo0 unit 0 family inet filter input protect-RE