Defining Interface Groups
When applying a firewall filter, you can define an interface to be part of an interface group. Packets received on that interface are tagged as being part of the group. You then can match these packets using the
interface-groupmatch statement, as described in Table 27.To define an interface to be part of an interface group, include the
groupstatement at the[edit interfacesinterface-nameunitlogical-unit-numberfamilyfamily-namefilter]hierarchy level:[edit interfacesinterface-nameunitlogical-unit-numberfamily family-name filter]groupgroup-number;inputfilter-name;outputfilter-name;In the
groupstatement, specify the interface group number to be associated with the filter.In the
inputstatement, list the name of one firewall filter to be evaluated when packets are received on the interface.In the
outputstatement, list the name of one firewall filter to be evaluated when packets are transmitted on the interface.Example: Defining Interface Groups
Create a filter that contains an interface group:
[edit firewall]family inet {filter if-group {term group1 {from {interface-group 1;address {192.168.80.114/32;}protocol tcp;port finger;}then {count if-group-counter1;log;reject;}}term group-2 {then {count if-group-counter2;log;accept;}}}}Assign one or more interfaces to the interface group referenced in the filter:
[edit interfaces]fxp0 {unit 0 {family inet {filter {group 1;}address 192.168.5.38/24;}}}Apply the filter that contains an interface group:
[edit interfaces]family inet {lo0 {unit 0 {family inet {filter {input if-group;group 1; }address 10.0.0.1/32;address 192.168.77.1/32;}}}}