bgprtrmgr-templates/includes/junos-v21-core-router/firewall.j2

{{ "firewall"|progress }} {

    {%- set bgp_multihop_prefixes_v4 = [] %}
    {%- set bgp_multihop_prefixes_v6 = [] %}
    {%- for prefix in 'bgp-multihop'|get_netbox_tagged_prefixes %}
        {%- if prefix|ipv4 %}{% do bgp_multihop_prefixes_v4.append( prefix ) %}
        {%- elif prefix|ipv6 %}{% do bgp_multihop_prefixes_v6.append( prefix ) %}
        {%- endif %}
    {%- endfor %}

    {%- set bgp_allowed_prefixes_v4 = [] %}
    {%- set bgp_allowed_prefixes_v6 = [] %}
    {%- for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %}
        {%- if prefix|ipv4 %}{% do bgp_allowed_prefixes_v4.append( prefix ) %}
        {%- elif prefix|ipv6 %}{% do bgp_allowed_prefixes_v6.append( prefix ) %}
        {%- endif %}
    {%- endfor %}

    {%- set ldp_allowed_prefixes_v4 = [] %}
    {%- set ldp_allowed_prefixes_v6 = [] %}
    {%- for prefix in 'ldp-allowed'|get_netbox_tagged_prefixes %}
        {%- if prefix|ipv4 %}{% do ldp_allowed_prefixes_v4.append( prefix ) %}
        {%- elif prefix|ipv6 %}{% do ldp_allowed_prefixes_v6.append( prefix ) %}
        {%- endif %}
    {%- endfor %}

    {%- set as_set_prefixes = 59811|get_prefixes_for_asn %}
    {%- set linknets_ipv4 = [] %}
    {%- set linknets_ipv6 = [] %}

    {% for interface in device_interfaces %}
        {%- set interface_tags = [] %}
        {%- for tag in interface.tags %}
        {%- do interface_tags.append(tag.slug) %}
        {%- endfor %}
        {%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %}
            {%- for address in interface|get_addresses %}
                {%- if address|ipv4 %}
                    {%- do linknets_ipv4.append(address.address.split("/")[0]) %}
                {%- elif address|ipv6 %}
                    {%- do linknets_ipv6.append(address.address.split("/")[0]) %}
                {%- endif %}
            {%- endfor %}
        {%- endif %}
    {% endfor %}

    family inet {
        filter BCP38-edge-IPv4 {
            term allow-AS59811-set {
                from {
                    source-address {
                        {% for prefix in as_set_prefixes['ipv4'] %}
                            {{ prefix['prefix'] }};
                        {% endfor %}
                    }
                }
                then {
                    accept
                }
            }
            term allow-interfaces {
                from {
                    source-address {
                        {%- for address in linknets_ipv4 %}
                            {{ address }};
                        {%- endfor %}
                    }
                }
                then {
                    accept
                }
            }
        }

        filter control-plane-protection-IPv4 {
            {% if bgp_multihop_prefixes_v4 %}
            term allow-multihop-bgp {
                from {
                    source-address {
                        {% for prefix in bgp_multihop_prefixes_v4 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endfor %}
                    }
                    protocol tcp;
                    port 179;
                }
                then {
                    accept;
                }
            }
            {% endif %}
            {% if bgp_allowed_prefixes_v4 %}
            term allow-gtsm-bgp {
                from {
                    protocol tcp;
                    source-address {
                        {% for prefix in bgp_allowed_prefixes_v4 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endfor %}
                    }
                    tcp-initial;
                    ttl 255;
                    port 179;
                }
                then {
                    accept;
                }
            }
            term allow-established-bgp {
                from {
                    protocol tcp;
                    source-address {
                        {% for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %}{% if prefix|ipv4 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endif %}{% endfor %}
                    }
                    tcp-established;
                    port 179;
                }
                then {
                    accept;
                }
            }
            {% endif %}
            term reject-bgp {
                from {
                    protocol tcp;
                    port 179;
                }
                then {
                    reject tcp-reset;
                }
            }
            {% if ldp_allowed_prefixes_v4 %}
            term allow-ldp {
                from {
                    source-address {
                        {% for prefix in ldp_allowed_prefixes_v4 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endfor %}
                    }
                    protocol tcp;
                    port 646;
                }
                then {
                    accept;
                }
            }
            {% endif %}
            term reject-ldp {
                from {
                    protocol tcp;
                    port 646;
                }
                then {
                    reject tcp-reset;
                }
            }
            term else {
                then {
                    accept;
                }
            }
        }
    }
    family inet6 {
        filter BCP38-edge-IPv6 {
            term allow-AS59811-set {
                from {
                    source-address {
                        {% for prefix in as_set_prefixes['ipv6'] %}
                            {{ prefix['prefix'] }};
                        {% endfor %}
                    }
                }
                then {
                    accept
                }
            }
            term allow-interfaces {
                from {
                    source-address {
                        {%- for address in linknets_ipv6 %}
                            {{ address }};
                        {%- endfor %}
                    }
                }
                then {
                    accept
                }
            }
        }

        filter control-plane-protection-IPv6 {
            {% if bgp_multihop_prefixes_v6 %}
            term allow-multihop-bgp {
                from {
                    source-address {
                        {% for prefix in bgp_multihop_prefixes_v6 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endfor %}
                    }
                    next-header tcp;
                    destination-port 179;
                }
                then {
                    accept;
                }
            }
            {% endif %}
            {% if bgp_allowed_prefixes_v6 %}
            term allow-gtsm-bgp {
                from {
                    next-header tcp;
                    source-address {
                        {% for prefix in bgp_allowed_prefixes_v6 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endfor %}
                    }
                    hop-limit 255;
                    tcp-initial;
                    destination-port 179;
                }
                then {
                    accept;
                }
            }
            term allow-established-bgp {
                from {
                    next-header tcp;
                    source-address {
                        {% for prefix in bgp_allowed_prefixes_v6 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endfor %}
                    }
                    tcp-established;
                    destination-port 179;
                }
                then {
                    accept;
                }
            }
            {% endif %}
            term reject-bgp {
                from {
                    next-header tcp;
                    destination-port 179;
                }
                then {
                    reject tcp-reset;
                }
            }
            {% if ldp_allowed_prefixes_v6 %}
            term allow-ldp {
                from {
                    next-header tcp;
                    source-address {
                        {% for prefix in ldp_allowed_prefixes_v6 %}
                            {{ prefix }}; /* {{ prefix.description }} */
                        {% endfor %}
                    }
                    destination-port 646;
                }
                then {
                    accept;
                }
            }
            {% endif %}
            term reject-ldp {
                from {
                    next-header tcp;
                    destination-port 646;
                }
                then {
                    reject tcp-reset;
                }
            }
            term else {
                then {
                    accept;
                }
            }
        }
    }
}