Overview of Firewall Filters
Firewall filters, sometimes called access control lists (ACLs), provide rules that define whether to accept or discard packets that are transiting an interface. If a packet is accepted, you can configure more actions on the packet, such as class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority) and traffic policing (controlling the maximum rate of traffic sent or received).
You can configure firewall filters to determine where to accept or discard a packet before it enters or exits a port, VLAN, Layer 2 CCC, Layer 3 (routed) interface, Routed VLAN interface (RVI), or MPLS interface.
An ingress (input) firewall filter is applied to packets that are entering an interface or VLAN, and an egress (output) firewall filter is applied to packets that are exiting an interface or VLAN.
Where You Can Apply Filters
After you configure the firewall filter, you can apply it to the following:
Port—Filters Layer 2 traffic transiting system ports.
VLAN—Filters and provides access control for Layer 2 packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN.
Layer 3 (routed) interface—Filters traffic on IPv4 and IPv6 interfaces, routed VLAN interfaces (RVI), and the loopback interface. The loopback interface filters traffic sent to the switch itself or generated by the switch.
Layer 2 CCC interface—Filters Layer 2 circuit cross-connect (CCC) interfaces.
MPLS—Filters MPLS interfaces.
You can also apply a firewall filter to a management interface (for example, me0) on a QFX and EX4600 standalone switch. You can’t apply a filter to a management interface on a QFX3000-G or QFX3000-M system.
You can apply only one firewall filter to a port, VLAN, or Layer 2 CCC interface for a given direction. For example, for interface ge-0/0/6.0, you can apply one filter for the ingress direction and one for the egress direction.
(QFX Series) Starting with Junos OS Release 13.2X51-D15, you can apply a filter to a loopback interface in the egress direction.
(QFX10000) Starting with Junos OS Release 18.2R1, you can apply ingress and egress firewall filters with count and discard as policer actions on Layer 2 circuit interfaces.
(QFX10002-36Q, QFX10002-72Q, QFX10002-60C, QFX10008, QFX10016, PTX10008, PTX10016) Starting with Junos OS Release 19.2R1, you can apply the interface, forwarding-class, and loss-priority match conditions in the egress direction on IPv4 and IPv6 interfaces.
What Makes up a Firewall Filter
When you configure a firewall filter, you define the family address type (ethernet-switching, inet (for IPv4), inet6 (for IPv6), circuit cross-connect (CCC), or MPLS), the filtering criteria (terms, with match conditions,) and the action to take if a match occurs.
Each term consists of the following
Match condition—Values that a packet must contain to be considered a match. You can specify values for most fields in the IP, TCP, UDP, or ICMP headers. You can also match on interface names.
Action—Action taken if a packet matches a match condition. You can configure a firewall filter to accept, discard, or reject a matching packet and then perform more actions, such as counting, classifying, and policing. The default action is accept.
How Firewall Filters are Processed
If there are multiple terms in a filter, the order of the terms is important. If a packet matches the first term, the switch takes the action defined by that term, and no other terms are evaluated. If the switch doesn’t find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If no terms are matched, the switch discards the packet by default.