[j-nsp] Stateful Firewall Q

Jerry Gardner sodaant at gmail.com
Tue Oct 10 11:49:37 EDT 2006


On 10/9/06, Jerry Gardner <sodaant at gmail.com> wrote:
>
> Does the stateful firewall in the J-series routers support hard to
> firewall protocols such as FTP?


Resending this because I received several replies where I don't think the
responder understood exactly what I was asking.

What I'd like to know is if the J-series stateful firewall code supports
layer 7 inspection for some common applications such as FTP and SIP. What I
mean by this is as follows (assume this is from a client machine's
perspective from behind the firewall):

1. Client initiates an FTP connection to a server:  192.168.1.1:12345 ->
202.12.41.132:21

2. Client starts a data transfer (get or put) operation. The FTP application
on the client allocates a free port >= 1024, let's say 43210, sends this
port number to the server on the existing connection, and listens on that
port.

3. The server receives the data transfer command along with the port number
the client is listening on and tries to open a TCP session to that port:
202.12.41.132:20 -> 192.168.1.1:43210.

4. The client and server transfer the data on the new connection.


The problem for the firewall comes at step 3 when the server tries to open a
connection back to the client on an arbitrary port number assigned by the
client's OS. Unless there's a firewall rule in place to allow a connection
to all ports >= 1024 on the client coming from any arbitrary external IP on
port 20, this will not work.

Forgive me for mentioning that "other" router company, but the Cisco IOS
Firewall software supports this via the "inspect ftp" command that instructs
the firewall to monitor FTP sessions.
When it sees the client send a Port command to the server, it extracts the
port number from the packet (layer 7) and creates a temporary ACL to open a
hole in the firewall for the data transfer.

So my questions are:

1. Does the Junos stateful firewall on the J-series support this?

2. If so, where is it documented?

3. Are there any configuration examples available?


Tnx.


More information about the juniper-nsp mailing list