[j-nsp] Stateful Firewall Q

Harry Reynolds harry at juniper.net
Tue Oct 10 12:19:39 EDT 2006 

I think the answer is "yes". We call them application level gateways,
ALGs.

To see a list of currently supported ALGs:

[edit]
harry at vpn11# show groups junos-defaults    
#
# Make vt100 the default for the console port
# 
system {
    ports {
        console type vt100;
    }
    login {
        password {
            minimum-length 6;
            change-type set-transitions;
            minimum-changes 1;
            format md5;
        }
    }
    compress-configuration-files;
}
applications {
    #
    # File Transfer Protocol 
    #
    application junos-ftp {
        application-protocol ftp;
        protocol tcp;
        destination-port 21;
    }

Regards
 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> Jerry Gardner
> Sent: Tuesday, October 10, 2006 8:50 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Stateful Firewall Q
> 
> On 10/9/06, Jerry Gardner <sodaant at gmail.com> wrote:
> >
> > Does the stateful firewall in the J-series routers support hard to 
> > firewall protocols such as FTP?
> 
> 
> Resending this because I received several replies where I 
> don't think the responder understood exactly what I was asking.
> 
> What I'd like to know is if the J-series stateful firewall 
> code supports layer 7 inspection for some common applications 
> such as FTP and SIP. What I mean by this is as follows 
> (assume this is from a client machine's perspective from 
> behind the firewall):
> 
> 1. Client initiates an FTP connection to a server:  
> 192.168.1.1:12345 ->
> 202.12.41.132:21
> 
> 2. Client starts a data transfer (get or put) operation. The 
> FTP application on the client allocates a free port >= 1024, 
> let's say 43210, sends this port number to the server on the 
> existing connection, and listens on that port.
> 
> 3. The server receives the data transfer command along with 
> the port number the client is listening on and tries to open 
> a TCP session to that port:
> 202.12.41.132:20 -> 192.168.1.1:43210.
> 
> 4. The client and server transfer the data on the new connection.
> 
> 
> The problem for the firewall comes at step 3 when the server 
> tries to open a connection back to the client on an arbitrary 
> port number assigned by the client's OS. Unless there's a 
> firewall rule in place to allow a connection to all ports >= 
> 1024 on the client coming from any arbitrary external IP on 
> port 20, this will not work.
> 
> Forgive me for mentioning that "other" router company, but 
> the Cisco IOS Firewall software supports this via the 
> "inspect ftp" command that instructs the firewall to monitor 
> FTP sessions.
> When it sees the client send a Port command to the server, it 
> extracts the port number from the packet (layer 7) and 
> creates a temporary ACL to open a hole in the firewall for 
> the data transfer.
> 
> So my questions are:
> 
> 1. Does the Junos stateful firewall on the J-series support this?
> 
> 2. If so, where is it documented?
> 
> 3. Are there any configuration examples available?
> 
> 
> Tnx.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list