Understanding Firewall Filter Planning
Before you create a firewall filter and apply it, determine what you want the filter to accomplish and how to use its match conditions and actions to achieve your goals. It is important that you understand how packets are matched, the default and configured actions of the firewall filter, and where to apply the firewall filter.
You can apply no more than one firewall filter per port, VLAN, or router interface per direction (input and output). For example, for a given port you can apply at most one filter in the input direction and one filter in the output direction. You should try to be conservative in the number of terms (rules) that you include in each firewall filter, because a large number of terms requires longer processing time during a commit operation and can make testing and troubleshooting more difficult.
Before you configure and apply firewall filters, answer the following questions for each of them:
- What is the purpose of the filter?
For example, the system can drop packets based on header information, rate-limit traffic, classify packets into forwarding classes, log and count packets, or prevent denial-of-service attacks.
- What are the appropriate match conditions? Determine the
packet header fields that the packet must contain for a match. Possible
Layer 2 header fields—Source and destination MAC addresses, 802.1Q tag, Ethernet type, or VLAN.
Layer 3 header fields—Source and destination IP addresses, protocols, and IP options (IP precedence, IP fragmentation flags, or TTL type).
TCP header fields—Source and destination ports and flags.
ICMP header fields—Packet type and code.
- What are the appropriate actions to take if a match occurs?
The system can accept, discard, or reject packets.
- What additional action modifiers might be required?
For example, you can configure the system to mirror (copy) packets to a specified port, count matching packets, apply traffic management, or police packets.
- On what port, router interface, or VLAN should the firewall
filter be applied?
Start with the following basic guidelines:
If packets entering or leaving a Layer 2 interface (port) need to be filtered, apply the filter at the [edit family ethernet switching filter] hierarchy level. This is a port filter.
If packets entering or leaving any port in a specific VLAN need to be filtered, use a VLAN filter.
If packets entering or leaving a Layer 3 (routed) interface or routed VLAN interface (RVI) need to be filtered, use a router firewall filter. Apply the filter to the interface at the [edit family inet] hierarchy level. You can also apply a router firewall filter on a loopback interface.
Before you choose the interface or VLAN on which to apply a firewall filter, understand how that placement can affect traffic flow to other interfaces. In general, apply a filter close to the source device if the filter matches on source or destination IP addresses, IP protocols, or protocol information—such as ICMP message types, and TCP or UDP port numbers. However, you should apply a filter close to the destination device if the filter matches only on a source IP address. When you apply a filter too close to the source device, the filter could prevent that source device from accessing other services that are available on the network.
Egress firewall filters do not affect the flow of locally generated control packets from the Routing Engine.
- In which direction should the firewall filter be applied?
You typically configure different actions for traffic entering an interface than you configure for traffic exiting an interface.
- How many filters should I create?
See Planning the Number of Firewall Filters to Create for information about how many firewall filters you can apply.