Firewall Filter Configuration > Applying Firewall Filters to Interfaces

For a firewall filter to work, you must apply it to at least one interface. To do this, include the filter statement when configuring the logical interface at the [edit interfaces interface-name unit logical-unit-number family family-name] hierarchy level:

[edit interfaces interface-name unit logical-unit-number family family-name]

filter { 

    input filter-name;

    input-list [ filter-names ];

    output filter-name;

    output-list [ filter-names ];

}

In the input statement, list the name of one firewall filter to be evaluated when packets are received on the interface. Input filters applied to the loopback interface, lo0, affect only inbound traffic destined for the Routing Engine.

In the input-list statement, list the names of firewall filters to be evaluated when packets are received on the interface. You can specify up to 16 firewall filters for the filter input list. In the output-list statement, list the names of firewall filters to be evaluated when packets are transmitted from the interface. You can specify up to 16 firewall filters for the filter output list.

In the output statement, list the name of one firewall filter to be evaluated when packets are transmitted on the interface. Output filters applied to the loopback interface, lo0, affect only outbound traffic sent from the Routing Engine.

You can apply only one input and one output firewall filter to each interface. You can use the same filter one or more times.

For more information about configuring filters on interfaces, see the JUNOS Network Interfaces Configuration Guide.

When you apply a filter to an interface, it is evaluated against all the data packets passing through that interface. The exception is the loopback interface, lo0, which is the interface to the Routing Engine and carries no data packets. If you apply a filter to the lo0 interface, the filter affects the local packets received or transmitted by the Routing Engine.

Filters apply to all packets entering an interface, not just the packets destined for the Routing Engine. To filter packets destined for the Routing Engine, configure the group statement at the [edit interfaces interface-name unit logical-unit-number family family-name filter] hierarchy level. For more information, see Defining Interface Groups.

For filters applied to data packets to function, the routing platform must contain an Internet Processor II ASIC.

You can configure the following additional properties when applying filters to interfaces:

• Configuring Interface-Specific Counters
• Defining Interface Groups