Firewall filters allow you to filter packets based on their contents and to perform an action on packets that match the filter.
Depending on the hardware configuration of the router, you can use firewall filters for the following purposes:
You can use the filters to restrict the packets that pass from the router's physical interfaces to the Routing Engine. Such filters are useful in protecting the IP services that run on the Routing Engine, such as Telnet, ssh, and BGP, from denial-of-service attacks. You can define input filters, which affect only inbound traffic destined for the Routing Engine, and output filters, which affect only outbound traffic sent from the Routing Engine.
With the Internet Processor II ASIC, you can also use filters on traffic passing through the router to provide protocol-based firewalls, to thwart denial of service (DoS) attacks, to prevent spoofing of source addresses, to create access control lists, and to implement rate-limiting (policing). (To determine whether a router has an Internet Processor or an Internet Processor II ASIC, use the
You can apply firewall filters to input traffic or to traffic leaving the router on one, more than one, or all interfaces. You can apply the same filter to multiple interfaces.