[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring IPv4 and IPv6 Stateless Firewall Filters

Using the Firewall Filters Quick Configuration pages, you can create filters and terms and define match conditions and actions for each filter term. For a description of match conditions, see Table 71, and for a description of actions, see Table 73.

Figure 18 shows the initial Firewall Filters Quick Configuration page that displays existing firewall filters and allows you to add and modify filters.

Figure 19 shows the match conditions and actions Quick Configuration page for configuring match conditions and the resulting actions of filter terms.

Figure 18: Initial Firewall Filters Quick Configuration Page

Image s020229.gif

Figure 19: Match Conditions and Actions Quick Configuration Page

Image s020230.gif

To configure a stateless firewall filter with Quick Configuration:

In the J-Web interface, select Configuration>Quick Configuration>Firewall Filters.

Select one of the following options on the Firewall Filters Quick Configuration page:

To edit IPv4 firewall filters and terms, select Edit IPv4 Firewall Filters.

Note: If you have existing IPv4 firewall configurations in both edit firewall filter and edit firewall family inet filter hierarchies, merge the two to one location. The J-Web firewall filter Quick Configuration feature supports configuration in one location only.

To edit IPv6 firewall filters and terms, select Edit IPv6 Firewall Filters.

Enter information into the Firewall Filters Quick Configuration pages, as described in Table 99.
Click one of the following buttons on the Firewall Filters Quick Configuration main page:
- To apply the configuration and stay in the current Firewall Filters Quick Configuration page, click Apply.
- To apply the configuration and return to the previous Quick Configuration page, click OK.
- To cancel your entries and return to the previous Quick Configuration page, click Cancel.
Go on to one of the following procedures:
- If the stateless firewall filter is not already assigned to an interface, see Assigning IPv4 and IPv6 Firewall Filters to Interfaces.
- To display the configuration, see Displaying Stateless Firewall Filter Configurations.
- To verify a stateless firewall filter, see Verifying Stateless Firewall Filter Configuration.

Table 99: Firewall Filters Quick Configuration Pages Summary

Field	Function	Your Action
IPv4 Filter Summary
Action column	Displays up and down arrows and a X, allowing you to delete or change the order of a filter or term. The order of an item is important because it determines the order in which corresponding actions are carried out.	To move an item upward, locate the item and click the up arrow from the same row. To move an item downward, locate the item and click the down arrow from the same row. To delete an item, locate the item and click the X from the same row.
Filter Name	Displays the name of the filter and when expanded, lists the terms attached to the filter. Displays the match conditions and actions that are set for each term. Allows you to add more terms to a filter or modify filter terms.	To display the terms added to a filter, click the plus sign next to the filter name. This also displays the match conditions and actions set for the term. To edit a filter, click the filter name. To edit a term, click the name of the term.
Search
Filter Name	Searches for existing filters by filter name.	To find a specific filter, type the name of the filter in the Filter Name box. To list all filters with a common prefix or suffix, use the wildcard character () when typing the name of the filter. For example, te lists all filters with a name starting with the characters te.
Term Name	Searches for existing terms by term name.	To find a specific term, type the name of the term in the Term Name box. To list all terms with a common prefix or suffix, use the wildcard character () when typing the name of the term. For example, ra lists all terms with a name starting with the characters ra.
Number of Items to Display	Specifies the number of filters or terms to display on one page.	To select the number of items to be displayed on one page, select a number from the list.
Add New IPv4 (or IPv6) Filter
Name	Specifies the name for a new filter.	To name a filter, type a string of meaningful characters or integers that allow you to uniquely identify the filter.
Location	Positions the new filter in one of the following locations: After Final IPv4 Filter—At the end of all filters. After IPv4 Filter—After a specified filter. Before IPv4 Filter—Before a specified filter.	To position the new filter: At the end of all filters, select After Final IPv4 Filter. After a specific filter, select After IPv4 Filter then select a name from the filter name list. Before a specific filter, select Before IPv4 Filter then select a name from the filter name list.
Add	Adds a new filter name. Opens the term summary page for this filter allowing you to add new terms to this filter.	To create a new filter and open the term summary page for this filter, click Add.
Add New IPv4 (or IPv6) Term
Name	Defines a term for a specific filter.	To name a term, type a string of meaningful characters or integers that allow you to uniquely identify the term.
Location	Positions the new term in one of the following locations: After Final IPv4 Term—At the end of all terms. After IPv4 Term—After a specified term. Before IPv4 Term—Before a specified term.	To position the new term: At the end of all terms, select After Final IPv4 Term. After a specific term, select After IPv4 Term then select a name from the term name list. Before a specific term, select Before IPv4 Term then select a name from the term name list.
Add	Adds a term name for the specific filter. Opens the Filter Term page allowing you to define the match conditions and the action for this term.	To add a term name and open the Filter Term page, click Add.
Match Source
Source Address	Specifies IP source addresses to be included in, or excluded from, the match condition. Allows you to remove source IP addresses from the match condition. If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.	To specify an IP source address, type an IP address and prefix length. To include the address in the match condition, click Add. To exclude the address from the match condition, select Except then click Add. To remove an IP source address from the match condition, select it and click Delete.
Source Prefix List	Specifies source prefix lists that you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition. For information about defining prefix lists, see the JUNOS Policy Framework Configuration Guide.	To include a predefined source prefix list in the match condition, type the prefix list name and click Add. To remove a prefix list from the match condition, select it and click Delete.
Source Port	Specifies the source port type to be included in, or excluded from, the match condition. Allows you to remove a source port type from the match condition. Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.	To specify a known source port type, select the port from the port name list. To specify source port types that do not exist in the port name list, type the port name, number, or range. To include the port in the match condition, click Add. To exclude the port from the match condition, select Except then click Add. To remove a port type from the match condition, select it and click Delete.
Match Destination
Destination Address	Specifies destination addresses to be included in, or excluded from, the match condition. Allows you to remove a destination IP address from the match condition. If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.	To specify a destination IP address, type an IP address and prefix length. To include the address in the match condition, click Add. To exclude the address from the match condition, select Except then click Add. To remove an IP address from the match condition, select it and click Delete.
Destination Prefix List	Specifies destination prefix lists that you have already defined, to be included in the match condition. Allows you to remove a prefix list from the match condition. For information about defining prefix lists, see the JUNOS Policy Framework Configuration Guide.	To include a predefined destination prefix list, type the prefix list name and click Add. To remove a prefix list from the match condition, select it and click Delete.
Destination Port	Specifies destination port types to be included in, or excluded from, the match condition. Allows you to remove a destination port type from the match condition. Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.	To specify a known destination port type, select the port from the port name list. To specify source port types that do not exist in the port name list, type the port name, number, or range. To include the port in the match condition, click Add. To exclude the port from the match condition, select Except then click Add. To remove a destination port type from the match condition, select it and click Delete.
Match Source or Destination
Address	Specifies IP addresses to be included in, or excluded from, the match condition for a source or destination. Allows you to remove an IP address from the match condition. If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them. Note: This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term.	To specify a source or destination IP address, type the IP address and prefix length. To include the address in the match condition, click Add. To exclude the address from the match condition, select Except then click Add. To remove an IP address from the match condition, select it and click Delete.
Prefix List	Specifies prefix lists that you have already defined, to be included in the match condition for a source or destination. Allows you to remove a prefix list from the match condition. For information about defining prefix lists, see the JUNOS Policy Framework Configuration Guide. Note: This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term.	To include a predefined prefix list in the match condition, type the prefix list name and click Add. To remove a prefix list from the match condition, select it and click Delete.
Port	Specifies a port type to be included in, or excluded from, a match condition for a source or destination. Allows you to remove a port from the match condition. Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term. Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term.	To specify a known port type in the match condition, select the port from the port name list. To specify port types not included in the port name list, type the port name, number, or range. To include the port in the match condition, click Add. To exclude the port from the match condition, select Except then click Add. To remove a port from the match condition, select it and click Delete.
Match Interface
Interface (See the interface naming conventions in the J-series Services Router Basic LAN and WAN Access Configuration Guide.)	Specifies interfaces to be included in a match condition. Allows you to remove an interface from the match condition.	To include an interface in a match condition, either select a name from the interface name list or type the interface name and click Add. To remove an interface from the match condition, select it and click Delete.
Interface Set	Specifies interface sets that you have already defined, to be included in a match condition. Allows you to remove an interface set from the match condition. For information about defining interface sets, see the JUNOS Policy Framework Configuration Guide.	To include a predefined interface set in a match condition, type the interface set name and click Add. To remove an interface set from the match condition, select it and click Delete.
Interface Group	Specifies interface groups, that you have already defined, to be included in, or excluded from, a match condition. Allows you to remove an interface group from the match condition. For information about defining interface groups, see the JUNOS Policy Framework Configuration Guide.	To specify a predefined interface group, type the name of the group. To include the group in the match condition, click Add. To exclude the group from the match condition, select Except then click Add. To remove an interface group from the match condition, select it and click Delete.
Match Packet and Network
First Fragment (IPv4 only)	Matches the first fragment of a fragmented packet.	To match the first fragment, select the check box.
Is Fragment (IPv4 only)	Matches trailing fragments (all but the first fragment) of a fragmented packet.	To match trailing fragments, select the check box.
Fragment Flags (IPv4 only)	Specifies fragmentation flags to be included in the match condition.	To specify fragmentation flags, type a text or numeric string defining the flag—for example, more-fragments or 0x2000.
TCP Established	Matches all TCP packets other than the first packet of a connection. Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.	To match all TCP packets except the first of a connection, select the check box.
TCP Initial	Matches the first TCP packet of a connection. Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.	To match the first TCP packet of a connection, select the check box.
TCP Flags	Specifies TCP flags to be included in the match condition. Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.	To specify a TCP flag, type a text or numeric string defining the flag—for example, syn or 0x02.
Protocol (IPv4 only)	Specifies IPv4 protocol types to be included in, or excluded from, the match condition. Allows you to remove an IPv4 protocol type from the match condition.	To specify an IPv4 protocol type, select a protocol name from the list or type a protocol name or number—for example, ospf or 89. To include the protocol in the match condition, click Add. To exclude the protocol from the match condition, select Except then click Add. To remove an IPv4 protocol type from the match condition, select it and click Delete.
Next Header (IPv6 only)	Specifies IPv6 protocol types to be included in, or excluded from, the match condition. Allows you to remove an IPv6 protocol type from the match condition.	To specify an IPv6 protocol type, select a protocol name from the list or type the protocol name or number—for example, igmp or 2. To include the protocol in the match condition, click Add. To exclude the protocol from the match condition, select Except then click Add. To remove an IPv6 protocol type from the match condition, select it and click Delete.
ICMP Type	Specifies ICMP packet types to be included in, or excluded from, the match condition. Allows you to remove an ICMP packet type from the match condition. Note: This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term.	To specify an ICMP packet type, select a packet type from the list or type a packet type name or number—for example, time-exceeded or 11. To include the packet type in the match condition, click Add. To exclude the packet type from the match condition, select Except then click Add. To remove an ICMP packet type from the match condtition, select it and click Delete.
ICMP Code	Specifies the ICMP code to be included in, or excluded from, the match condition. Allows you to remove an ICMP code from the match condition. Note: The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term.	To specify an ICMP code, select a packet code from the list or type the packet code as text or a number—for example, ip-header-bad or 0. To include the ICMP code in the match condition, click Add. To exclude the ICMP code from the match condition, select Except then click Add. To remove an ICMP code from the match condition, select it and click Delete.
Traffic Class (IPv6 only)	Specifies Differentiated Services code points (DSCPs) to be included in, or excluded from, the match condition. Allows you to remove a DSCP value from the match condition. For information about DSCPs, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.	To specify a DSCP, select it from the list or type the DSCP value as a keyword, decimal, or binary string—for example, af11 or 10. To include the DSCP in the match condition, click Add. To exclude the DSCP from the match condition, select Except then click Add. To remove a DSCP from the match condition, select it and click Delete.
Fragment Offset (IPv4 only)	Specifies the fragment offset value to be included in, or excluded from, the match condition. The fragment offset value specifies the location of the fragment in the packet. For example, fragment offset zero specifies the first fragment. Allows you to remove a fragment offset value from the match condition.	To specify a fragment offset value, type the fragment offset number or range. To include the offset in the match condition, click Add. To exclude the offset from the match condition, select Except then click Add. To remove a fragment offset value from the match condition, select it and click Delete.
Precedence (IPv4 only)	Specifies IP precedences to be included in, or excluded from, the match condition. Allows you to remove an IP precedence entry from the match condition.	To specify an IP precedence, select it from the list or type the precedence as a keyword, decimal integer between 0 and 7, or binary string. To include the precedence in the match condition, click Add. To exclude the precedence from the match condition, select Except then click Add. To remove an IP precedence from the match condition, select it and click Delete.
DSCP (IPv4 only)	Specifies Differentiated Services code points (DSCPs) to be included in, or excluded from, the match condition Allows you to remove a DSCP entry from the match condition.	To specify a DSCP, select it from the list or type the DSCP value as a keyword, decimal, or binary string—for example, af11 or 10. To include the DSCP in the match condition, click Add. To exclude the DSCP from the match condition, select Except then click Add. To remove a DSCP, select it and click Delete.
TTL (IPv4 only)	Specifies the IPv4 time-to-live (TTL) value to be included in, or excluded from, the match condition. Allows you to remove an IPv4 TTL value from the match condition.	To specify an IPv4 TTL value, type a number between 1 and 255. To include the TTL in the match condition, click Add. To exclude the TTL from the match condition, select Except then click Add. To remove an IPv4 TTL type from the match condition, select it and click Delete.
Packet Length	Specifies the length of received packets, in bytes, to be included in, or excluded from, the match condition. Allows you to remove a packet length value from the match condition.	To specify a packet length, type a value or range. To include the packet length in the match condition, click Add. To exclude the packet length from the match condition, select Except then click Add. To remove a packet length value from the match condition, select it and click Delete.
Forwarding Class	Specifies forwarding classes to be included in, or excluded from, the match condition. Allows you to a remove forwarding class entry from the match condition. For information about forwarding classes, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.	To specify a forwarding class, select it from the list or type it. To include the forwarding class in the match condition, click Add. To exclude the forwarding class from the match condition, select Except then click Add. To remove a forwarding class from the match condition, select it and click Delete.
IP Options (IPv4 only)	Specifies IP options to be included in, or excluded from, the match condition. Allows you to remove an IP option from the match condition.	To specify an IP option, select it from the list or type a text or numeric string identifying the option. To include the IP option in the match condition, click Add. To exclude the IP option from the match condition, select Except then click Add. To remove an IP option from the match condition, select it and click Delete.
IPSec ESP SPI (IPv4 only)	Specifies IPSec Encapsulating Security Payload (ESP) security parameter index (SPI) values to be included in, or excluded from, the match condition. Allows you to remove an ESP SPI value from the match condition.	To specify an ESP SPI value, type a binary, hexadecimal, or decimal SPI value or range. To include the value in the match condition, click Add. To exclude the value from the match condition, select Except then click Add. To remove an ESP SPI value from the match condition, select it and click Delete.
Action
Nothing	No action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped.	To specify no action (or the default action), select Nothing.
Accept	Accepts a packet that meets the match conditions of the term.	To accept the packet, select Accept.
Discard	Discards a packet that meets the match conditions of the term. Names a discard collector for packets (IPv4 only).	To discard a packet, select Discard. To name a discard collector, type a filename in the Accounting box (IPv4 only).
Reject	Rejects a packet that meets the match conditions of the term and returns a rejection message. Allows you to specify a message type that denotes the reason the packet was rejected. Note: To log and sample rejected packets, specify Log and Sample action modifiers in conjunction with this action.	To reject a packet, select Reject. To specify a message type, select the message from the Reason list.
Next Term	Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term. This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term. When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term, and takes the associated action.	To continue to the next term, select Next Term.
Routing Instance	Accepts a packet that meets the match conditions, and forwards it to the specified routing instance.	To specify a routing instance, select Routing Instance and type the routing instance name in the box next to Routing Instance.
Load Balance	Specifies a load-balance group that you have already defined, to be used by packets that meet the match conditions. A load-balance group contains interfaces that use the same next-hop group to balance the traffic load. For information about configuring a load-balance group, see the JUNOS Policy Framework Configuration Guide	To specify a load-balance group, select Load Balance and type the group name in the box next to it.
Action Modifiers
Forwarding Class	Classifies the packet as a specific forwarding class. For information about forwarding classes, see the J-series Services Router Basic LAN and WAN Access Configuration Guide.	To specify a forwarding class, select it from the list.
Count	Counts the packets passing this term. Allows you to name a counter, which is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter.	To count packets passing this term, select Count. To specify a counter name, type a 24–character string containing letters, numbers, or hyphens.
Virtual Channel (IPv4 only)	Specifies the virtual channel to be set on a particular logical interface.	To specify the virtual channel, type a string identifying the virtual channel.
Log	Logs the packet header information in the Routing Engine.	To log packet header information, select Log.
Syslog	Records packet information in the system log.	To record information in the system log, select Syslog.
Sample (IPv4 only)	Samples traffic on the interface. Note: You must enable traffic sampling for this action to work. For more information about traffic sampling and forwarding, see the JUNOS Policy Framework Configuration Guide.	To sample traffic on an interface, select Sample.
Loss Priority	Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet. For more information, see the JUNOS Class of Service Configuration Guide.	To set the loss priority of the packet, select a loss priority from the list.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]