[Contents] [Prev] [Next] [Index] [Report an Error]

Specifying Numeric Range Filter Match Conditions

Numeric range filter conditions match packet fields that can be identified by a numeric value, such as port and protocol numbers. For numeric range filter match conditions, you specify a keyword that identifies the condition and a single value or a range of values that a field in a packet must match. Table 27 describes the numeric range filter match conditions for IPv4 addresses, and Table 28 describes them for IPv6 addresses.

You can specify the numeric range value in one of the following ways:

Single number. A match occurs if the value of the field matches the number. For example:

source-port 25;

Range of numbers. A match occurs if the value of the field falls within the specified range. The following example matches source ports 1024 through 65,535, inclusive:

source-port 1024-65535;

Text synonym for a single number. A match occurs if the value of the field matches the number that corresponds to the synonym. For example:

source-port smtp;

To specify multiple values in a single match condition, group the values within square brackets following the keyword. For example:

source-port [smtp ftp-data 25 1024-65535];

To exclude a numeric value, append the string -except to the match keyword. For example, the following condition would match only if the source port is not 25:

source-port-except 25;

The following condition would match only if the port number is not one of those in the list:

source-port-except [smtp ftp-data 666 1024-65535];




   
NOTE: To match only on a source address, destination address, source port or destination port, include the appropriate matching condition (source-address, destination-address, source-port, or destination-port, respectively) at the [edit firewall filter filter-name term term-name from] hierarchy level instead of using the port or address matching condition at the same hierarchy level.




 Table 27:  Numeric Range IPv4 Firewall Filter Match Conditions 

 Match Condition 
 Description

 keyword-except 

 Negate a match. For example, destination-port-except number. 


 ah-spi spi-value

 IPSec authentication header (AH) security parameter index (SPI) value. Match on this specific SPI value.


 ah-spi-except spi-value

 IPSec AH SPI value. Do not match on this specific SPI value.


 destination-port number 

 TCP or User Datagram Protocol (UDP) destination port field. You cannot specify both the port and destination-port match conditions in the same term. 
 Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol.
 In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104). 


 destination-mac-
address address 

 Destination media access control (MAC) address of a VPLS packet.


 dscp number

 Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. For more information, see the JUNOS Class of Service Configuration Guide.
 You can specify DSCP in either hexadecimal, binary, or decimal form.
 In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

   RFC 2598, An Expedited Forwarding, PHB defines one code point: ef (46).
   RFC 2597, Assured Forwarding PHB, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

 af11 (10), af12 (12), af13 (14), 
af21 (18), af22 (20), af23 (22), 
af31 (26), af32 (28), af33 (30), 
af41 (34), af42 (36), af43 (38)


 ether-type value 

 Match on Ethernet type field of a VPLS packet.


 ether-type-except value 

 Do not match on Ethernet type field of a VPLS packet.


 esp-spi spi-value

 IPSec encapsulating security payload (ESP) SPI value. Match on this specific SPI value.You can specify the ESP SPI value in either hexadecimal, binary, or decimal form.


 esp-spi-except spi-value

 IPSec ESP SPI value. Do not match on this specific SPI value.


 forwarding-class class

 Match on forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.


 forwarding-class-except class

 Do not match on forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.


 fragment-offset number 

 Fragment offset field.


 icmp-code number

 ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value's meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For more information, see How Firewall Filters Test a Packet's Protocol. 
 In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

   parameter-problem: ip-header-bad (0), required-option-missing (1)
   redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)
   time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)
   unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)



 icmp-type number 

 ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. 
 In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3). 


 interface interface-name

 Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.


 interface-group group-number 

 Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuration interface groups, see Applying Firewall Filters to Interfaces.


 packet-length bytes 

 Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.


 port number 

 TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term.
 Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol.
 In place of the numeric value, you can specify one of the text synonyms listed under destination-port. 


 precedence ip-precedence-field 

 IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in either hexadecimal, binary, or decimal form.


 protocol number 

 IP protocol field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah, egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17).


 source-mac-address address 

 Source MAC address of a VPLS packet.


 source-port number 

 TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. 
 Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol.
 In place of the numeric field, you can specify one of the text synonyms listed under destination-port. 
 

 



 vlan-ether-type value 

 Match on virtual local area network (VLAN) Ethernet type field of a VPLS packet.


 vlan-ether-type-except value 

 Do not match on VLAN Ethernet type field of a VPLS packet.



 



 Table 28:  Numeric Range IPv6 Firewall Filter Match Conditions 

 Match Condition
 Description 

 address address

 A 128-bit address that supports the standard syntax for IPv6 addresses. For more information, see the JUNOS Routing Protocols Configuration Guide.


 destination-address address

 A 128-bit address that is the final destination node address for the packet. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373, IP Version 6 Addressing Architecture. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.


 destination-port number 

 TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term. 
 Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol.
 In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104). 


 icmp-code number

 ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value's meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For more information, see How Firewall Filters Test a Packet's Protocol. 
 In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

   parameter-problem: ip-header-bad (0), required-option-missing (1)
   redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)
   time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)
   unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)



 icmp-type number 

 ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. 
 In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3). 


 interface-group group-number 

 Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuration interface groups, see Applying Firewall Filters to Interfaces.


 next-header bytes

 An 8-bit IP protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): egp (8), esp (50), gre (47), icmp (1), icmpv6 (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17).


 packet-length bytes 

 Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.


 port number 

 TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term.
 Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol.
 In place of the numeric value, you can specify one of the text synonyms listed under destination-port. 


 source-address address

 Address of the source node sending the packet; 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.


 source-port number 

 TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. 
 Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol.
 In place of the numeric field, you can specify one of the text synonyms listed under destination-port. 


 traffic-class number

 An eight-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. The numerical value cannot be greater than 0x3f.
 This field was previously used as the ToS field in IPv4. However, the semantics of this field (for example, DSCP) are identical to IPv4.


 tcp-flags flags

 One or more of the following TCP flags:

   bit-name: fin, syn, rst, push, ack, urgent
   numerical value: 0x01 through 0x20
   text synonym: tcp-established, tcp-initial

 You can string multiple flags using logical operators. 
 Configuring the tcp-flags match condition requires you to configure the next-header tcp match condition.


 ttl type

 IPv4 TTL type to match. Specify a TTL value between 1 and 255. This match condition is supported only on M320 and T-series routing platforms.


 ttl-except type

 IPv4 TTL type to avoid matching. Specify a TTL value between 1 and 255. This match condition is supported only on M320 and T-series routing platforms.

Match Condition	Description
`keyword`-`except`	Negate a match. For example, `destination-port-except` `number`.
`ah-spi` `spi-value`	IPSec authentication header (AH) security parameter index (SPI) value. Match on this specific SPI value.
`ah-spi-except` `spi-value`	IPSec AH SPI value. Do not match on this specific SPI value.
`destination-port` `number`	TCP or User Datagram Protocol (UDP) destination port field. You cannot specify both the `port` and `destination-port` match conditions in the same term. Normally, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): `afs` (1483), `bgp` (179), `biff` (512), `bootpc` (68), `bootps` (67), `cmd` (514), `cvspserver` (2401), `dhcp` (67), `domain` (53), `eklogin` (2105), `ekshell` (2106), `exec` (512), `finger` (79), `ftp` (21), `ftp-data` (20), `http` (80), `https` (443), `ident` (113), `imap` (143), `kerberos-sec` (88), `klogin` (543), `kpasswd` (761), `krb-prop` (754), `krbupdate` (760), `kshell` (544), `ldap` (389), `login` (513), `mobileip-agent` (434), `mobilip-mn` (435), `msdp` (639), `netbios-dgm` (138), `netbios-ns` (137), `netbios-ssn` (139), `nfsd` (2049), `nntp` (119), `ntalk` (518), `ntp` (123), `pop3` (110), `pptp` (1723), `printer` (515), `radacct` (1813), `radius` (1812), `rip` (520), `rkinit` (2108), `smtp` (25), `snmp` (161), `snmptrap` (162), `snpp` (444), `socks` (1080), `ssh` (22), `sunrpc` (111), `syslog` (514), `tacacs-ds` (65), `talk` (517), `telnet` (23), `tftp` (69), `timed` (525), `who` (513), `xdmcp` (177), `zephyr-clt` (2103), or `zephyr-hm` (2104).
`destination-mac- address` `address`	Destination media access control (MAC) address of a VPLS packet.
`dscp` `number`	Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. For more information, see the JUNOS Class of Service Configuration Guide. You can specify DSCP in either hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): RFC 2598, An Expedited Forwarding, PHB defines one code point: `ef` (46). RFC 2597, Assured Forwarding PHB, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points: `af11` (10), `af12` (12), `af13` (14), `af21` (18), `af22` (20), `af23` (22), `af31` (26), `af32` (28), `af33` (30), `af41` (34), `af42` (36), `af43` (38)
`ether-type` `value`	Match on Ethernet type field of a VPLS packet.
`ether-type-except` `value`	Do not match on Ethernet type field of a VPLS packet.
`esp-spi` `spi-value`	IPSec encapsulating security payload (ESP) SPI value. Match on this specific SPI value.You can specify the ESP SPI value in either hexadecimal, binary, or decimal form.
`esp-spi-except` `spi-value`	IPSec ESP SPI value. Do not match on this specific SPI value.
`forwarding-class` `class`	Match on forwarding class. Specify `assured-forwarding`, `best-effort`, `expedited-forwarding`, or `network-control`.
`forwarding-class-except` `class`	Do not match on forwarding class. Specify `assured-forwarding`, `best-effort`, `expedited-forwarding`, or `network-control`.
`fragment-offset` `number`	Fragment offset field.
`icmp-code` `number`	ICMP code field. This value or keyword provides more specific information than `icmp-type`. Because the value's meaning depends upon the associated `icmp-type`, you must specify `icmp-type` along with `icmp-code`. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: `ip-header-bad` (0), `required-option-missing` (1) redirect: `redirect-for-host` (1), `redirect-for-network` (0), `redirect-for-tos-and-host` (3), `redirect-for-tos-and-net` (2) time-exceeded: `ttl-eq-zero-during-reassembly` (1), `ttl-eq-zero-during-transit` (0) unreachable: `communication-prohibited-by-filtering` (13), `destination-host-prohibited` (10), `destination-host-unknown` (7), `destination-network-prohibited` (9), `destination-network-unknown` (6), `fragmentation-needed` (4), `host-precedence-violation` (14), `host-unreachable` (1), `host-unreachable-for-TOS` (12), `network-unreachable` (0), `network-unreachable-for-TOS` (11), `port-unreachable` (3), `precedence-cutoff-in-effect` (15), `protocol-unreachable` (2), `source-host-isolated` (8), `source-route-failed` (5)
`icmp-type` `number`	ICMP packet type field. Normally, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): `echo-reply` (0), `echo-request` (8), `info-reply` (16), `info-request` (15), `mask-request` (17), `mask-reply` (18), `parameter-problem` (12), `redirect` (5), `router-advertisement` (9), `router-solicit` (10), `source-quench` (4), `time-exceeded` (11), `timestamp` (13), `timestamp-reply` (14), or `unreachable` (3).
`interface` `interface-name`	Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.
`interface-group` `group-number`	Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuration interface groups, see Applying Firewall Filters to Interfaces.
`packet-length` `bytes`	Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.
`port` `number`	TCP or UDP source or destination port field. You cannot specify both the `port` match and either the `destination-port` or `source-port` match conditions in the same term. Normally, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the text synonyms listed under `destination-port`.
`precedence` `ip-precedence-field`	IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): `critical-ecp` (0xa0), `flash` (0x60), `flash-override` (0x80), `immediate` (0x40), `internet-control` (0xc0), `net-control` (0xe0), `priority` (0x20), or `routine` (0x00). You can specify precedence in either hexadecimal, binary, or decimal form.
`protocol` `number`	IP protocol field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): `ah, egp` (8), `esp` (50), `gre` (47), `icmp` (1), `igmp` (2), `ipip` (4), `ipv6` (41), `ospf` (89), `pim` (103), `rsvp` (46), `tcp` (6), or `udp` (17`)`.
`source-mac-address` `address`	Source MAC address of a VPLS packet.
`source-port` `number`	TCP or UDP source port field. You cannot specify the `port` and `source-port` match conditions in the same term. Normally, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric field, you can specify one of the text synonyms listed under `destination-port`.
`vlan-ether-type` `value`	Match on virtual local area network (VLAN) Ethernet type field of a VPLS packet.
`vlan-ether-type-except` `value`	Do not match on VLAN Ethernet type field of a VPLS packet.

Match Condition	Description
`address` `address`	A 128-bit address that supports the standard syntax for IPv6 addresses. For more information, see the JUNOS Routing Protocols Configuration Guide.
`destination-address` `address`	A 128-bit address that is the final destination node address for the packet. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373, IP Version 6 Addressing Architecture. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.
`destination-port` `number`	TCP or UDP destination port field. You cannot specify both the `port` and `destination-port` match conditions in the same term. Normally, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): `afs` (1483), `bgp` (179), `biff` (512), `bootpc` (68), `bootps` (67), `cmd` (514), `cvspserver` (2401), `dhcp` (67), `domain` (53), `eklogin` (2105), `ekshell` (2106), `exec` (512), `finger` (79), `ftp` (21), `ftp-data` (20), `http` (80), `https` (443), `ident` (113), `imap` (143), `kerberos-sec` (88), `klogin` (543), `kpasswd` (761), `krb-prop` (754), `krbupdate` (760), `kshell` (544), `ldap` (389), `login` (513), `mobileip-agent` (434), `mobilip-mn` (435), `msdp` (639), `netbios-dgm` (138), `netbios-ns` (137), `netbios-ssn` (139), `nfsd` (2049), `nntp` (119), `ntalk` (518), `ntp` (123), `pop3` (110), `pptp` (1723), `printer` (515), `radacct` (1813), `radius` (1812), `rip` (520), `rkinit` (2108), `smtp` (25), `snmp` (161), `snmptrap` (162), `snpp` (444), `socks` (1080), `ssh` (22), `sunrpc` (111), `syslog` (514), `tacacs-ds` (65), `talk` (517), `telnet` (23), `tftp` (69), `timed` (525), `who` (513), `xdmcp` (177), `zephyr-clt` (2103), or `zephyr-hm` (2104).
`icmp-code` `number`	ICMP code field. This value or keyword provides more specific information than `icmp-type`. Because the value's meaning depends upon the associated `icmp-type`, you must specify `icmp-type` along with `icmp-code`. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: `ip-header-bad` (0), `required-option-missing` (1) redirect: `redirect-for-host` (1), `redirect-for-network` (0), `redirect-for-tos-and-host` (3), `redirect-for-tos-and-net` (2) time-exceeded: `ttl-eq-zero-during-reassembly` (1), `ttl-eq-zero-during-transit` (0) unreachable: `communication-prohibited-by-filtering` (13), `destination-host-prohibited` (10), `destination-host-unknown` (7), `destination-network-prohibited` (9), `destination-network-unknown` (6), `fragmentation-needed` (4), `host-precedence-violation` (14), `host-unreachable` (1), `host-unreachable-for-TOS` (12), `network-unreachable` (0), `network-unreachable-for-TOS` (11), `port-unreachable` (3), `precedence-cutoff-in-effect` (15), `protocol-unreachable` (2), `source-host-isolated` (8), `source-route-failed` (5)
`icmp-type` `number`	ICMP packet type field. Normally, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): `echo-reply` (0), `echo-request` (8), `info-reply` (16), `info-request` (15), `mask-request` (17), `mask-reply` (18), `parameter-problem` (12), `redirect` (5), `router-advertisement` (9), `router-solicit` (10), `source-quench` (4), `time-exceeded` (11), `timestamp` (13), `timestamp-reply` (14), or `unreachable` (3).
`interface-group` `group-number`	Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuration interface groups, see Applying Firewall Filters to Interfaces.
`next-header` `bytes`	An 8-bit IP protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): `egp` (8), `esp` (50), `gre` (47), `icmp` (1), `icmpv6` (1), `igmp` (2), `ipip` (4), `ipv6` (41), `ospf` (89), `pim` (103), `rsvp` (46), `tcp` (6), or `udp` (17`)`.
`packet-length` `bytes`	Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.
`port` `number`	TCP or UDP source or destination port field. You cannot specify both the `port` match and either the `destination-port` or `source-port` match conditions in the same term. Typically, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric value, you can specify one of the text synonyms listed under `destination-port`.
`source-address` `address`	Address of the source node sending the packet; 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.
`source-port` `number`	TCP or UDP source port field. You cannot specify the `port` and `source-port` match conditions in the same term. Normally, you specify this match in conjunction with the `protocol` match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet's Protocol. In place of the numeric field, you can specify one of the text synonyms listed under `destination-port`.
`traffic-class` `number`	An eight-bit field that specifies the class-of-service (CoS) priority of the packet. The `traffic-class` field is used to specify a DiffServ code point (DSCP) value. The numerical value cannot be greater than `0x3f`. This field was previously used as the ToS field in IPv4. However, the semantics of this field (for example, DSCP) are identical to IPv4.
`tcp-flags` `flags`	One or more of the following TCP flags: bit-name: `fin`, `syn, rst, push, ack, urgent` numerical value: `0x01` through `0x20` text synonym: `tcp-established, tcp-initial` You can string multiple flags using logical operators. Configuring the `tcp-flags` match condition requires you to configure the `next-header tcp` match condition.
`ttl` `type`	IPv4 TTL type to match. Specify a TTL value between 1 and 255. This match condition is supported only on M320 and T-series routing platforms.
`ttl-except` `type`	IPv4 TTL type to avoid matching. Specify a TTL value between 1 and 255. This match condition is supported only on M320 and T-series routing platforms.

[Contents] [Prev] [Next] [Index] [Report an Error]