Firewall Filters Overview
Firewall filters provide rules that define whether to permit or deny packets that are transiting a port on a Juniper Networks EX Series Ethernet Switch from a source endpoint to a destination endpoint. You configure firewall filters to determine whether to permit or deny traffic before it enters or exits a port to which the firewall filter is applied. To apply a firewall filter, you must first configure the filter and then apply it to a port, either while manually configuring a port or through port profiles.
Each port or interface on the switch can have a maximum of only two filters:
Ingress firewall filter—A filter that is applied to packets that are entering a network.
Egress firewall filter—A filter that is applied to packets that are exiting a network.
You can configure firewall filters to subject packets to filtering, class-of-service (CoS) marking (grouping similar types of traffic together, and treating each type of traffic as a class with its own level of service priority), and traffic policing (controlling the maximum rate of traffic sent or received on an interface). You can create an ingress and an egress firewall filter and deploy the filter on a port.
If you apply ingress and egress filters to the same interface, the ingress filter is processed first.
Firewall Filter Components
In a firewall filter, you define one or more terms that specify the filtering criteria and the action to be taken if a match occurs. A firewall filter can have multiple terms.
Each term consists of the following components:
Match conditions—Specify the values or fields that the packet must contain to be considered a match. You can define various match conditions, including the IP source address field, IP destination address field, MAC source address field, MAC destination address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field, and IP protocol field.
Action—Specifies what to do if a packet matches the match conditions. Possible actions are to accept or discard the packet. In addition, packets can be counted to collect statistical information.
Action modifier—Specifies one or more actions for the switch if a packet matches the match conditions. You can specify action modifiers such as count, and log.
Firewall Filter Processing
If there are multiple terms in a filter, the order of the terms is important. Packets are tested against each term in the order in which the terms are listed in the firewall filter configuration. If a packet matches the first term, the switch executes the action defined by that term, and no other terms are evaluated. If the switch does not find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If the packet does not match any terms in the filter, the switch discards the packet by default.