Guidelines for Configuring Firewall Filters

 

This topic covers the following information:

Statement Hierarchy for Configuring Firewall Filters

To configure a standard firewall filter, you can include the following statements. For an IPv4 standard firewall filter, the family inet statement is optional. For an IPv6 standard firewall filter, the family inet6 statement is mandatory.

You can include the firewall configuration at one of the following hierarchy levels:

  • [edit]

  • [edit logical-systems logical-system-name]

Note

For stateless firewall filtering, you must allow the output tunnel traffic through the firewall filter applied to input traffic on the interface that is the next-hop interface toward the tunnel destination. The firewall filter affects only the packets exiting the router (or switch) by way of the tunnel.

Firewall Filter Protocol Families

A firewall filter configuration is specific to a particular protocol family. Under the firewall statement, include one of the following statements to specify the protocol family for which you want to filter traffic:

  • family any—To filter protocol-independent traffic.

  • family inet—To filter Internet Protocol version 4 (IPv4) traffic.

  • family inet6—To filter Internet Protocol version 6 (IPv6) traffic.

  • family mpls—To filter MPLS traffic.

  • family vpls—To filter virtual private LAN service (VPLS) traffic.

  • family ccc—To filter Layer 2 circuit cross-connection (CCC) traffic.

  • family bridge—To filter Layer 2 bridging traffic for MX Series 3D Universal Edge Routers only.

  • family ethernet-switching—To filter Layer 2 (Ethernet) traffic.

The family family-name statement is required only to specify a protocol family other than IPv4. To configure an IPv4 firewall filter, you can configure the filter at the [edit firewall] hierarchy level without including the family inet statement, because the [edit firewall] and [edit firewall family inet] hierarchy levels are equivalent.

Note

For bridge family filter, the ip-protocol match criteria is supported only for IPv4 and not for IPv6. This is applicable for line cards that support the Junos Trio chipset such as the MX 3D MPC line cards.

Firewall Filter Names and Options

Under the family family-name statement, you can include filter filter-name statements to create and name firewall filters. The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

At the [edit firewall family family-name filter filter-name] hierarchy level, the following statements are optional:

  • accounting-profile

  • instance-shared (MX Series routers with Modular Port Concentrators (MPCS) only)

  • interface-specific

  • physical-interface-filter

Firewall Filter Terms

Under the filter filter-name statement, you can include term term-name statements to create and name filter terms.

  • You must configure at least one term in a firewall filter.

  • You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

  • The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the insert configuration mode command to reorder the terms of a firewall filter.

At the [edit firewall family family-name filter filter-name term term-name] hierarchy level, the filter filter-name statement is not valid in the same term as from or then statements. When included at this hierarchy level, the filter filter-name statement is used to nest firewall filters.

Firewall Filter Match Conditions

Firewall filter match conditions are specific to the type of traffic being filtered.

With the exception of MPLS-tagged IPv4 or IPv6 traffic, you specify the term’s match conditions under the from statement. For MPLS-tagged IPv4 traffic, you specify the term’s IPv4 address-specific match conditions under the ip-version ipv4 statement and the term’s IPv4 port-specific match conditions under the protocol (tcp | udp) statement.

For MPLS-tagged IPv6 traffic, you specify the term’s IPv6 address-specific match conditions under the ip-version ipv6 statement and the term’s IPv6 port-specific match conditions under the protocol (tcp | udp) statement.

Table 1 describes the types of traffic for which you can configure firewall filters.

Table 1: Firewall Filter Match Conditions by Protocol Family

Traffic Type

Hierarchy Level at Which Match Conditions Are Specified

Protocol-independent

[edit firewall family any filter filter-name term term-name]

For the complete list of match conditions, see Firewall Filter Match Conditions for Protocol-Independent Traffic.

IPv4

[edit firewall family inet filter filter-name term term-name]

For the complete list of match conditions, see Firewall Filter Match Conditions for IPv4 Traffic.

IPv6

[edit firewall family inet6 filter filter-name term term-name]

For the complete list of match conditions, see Firewall Filter Match Conditions for IPv6 Traffic.

MPLS

[edit firewall family mpls filter filter-name term term-name]

For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS Traffic.

IPv4 addresses in MPLS flows

[edit firewall family mpls filter filter-name term term-name ip-version ipv4 ]

For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic.

IPv4 ports in MPLS flows

[edit firewall family mpls filter filter-name term term-name ip-version ipv4 protocol (tcp | udp)]

For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic.

IPv6 addresses in MPLS flows

[edit firewall family mpls filter filter-name term term-name ip-version ipv6 ]

For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic.

IPv6 ports in MPLS flows

[edit firewall family mpls filter filter-name term term-name ip-version ipv6 protocol (tcp | udp)]

For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic.

VPLS

[edit firewall family vpls filter filter-name term term-name]

For the complete list of match conditions, see Firewall Filter Match Conditions for VPLS Traffic.

Layer 2 CCC

[edit firewall family ccc filter filter-name term term-name]

For the complete list of match conditions, see Firewall Filter Match Conditions for Layer 2 CCC Traffic.

Layer 2 Bridging

(MX Series routers and EX Series switches only)

[edit firewall family bridge filter filter-name term term-name]

[edit firewall family ethernet-switching filter filter-name term term-name] (for EX Series switches only)

For the complete list of match conditions, see Firewall Filter Match Conditions for Layer 2 Bridging Traffic.

If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see IPv6 Overview and Supported IPv6 Standards.

Firewall Filter Actions

Under the then statement for a firewall filter term, you can specify the actions to be taken on a packet that matches the term.

Table 2 summarizes the types of actions you can specify in a firewall filter term.

Table 2: Firewall Filter Action Categories

Type of Action

Description

Comment

Terminating

Halts all evaluation of a firewall filter for a specific packet. The router (or switch) performs the specified action, and no additional terms are used to examine the packet.

You can specify only one terminating action in a firewall filter term. You can, however, specify one terminating action with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog. Regardless of the number of terms that contain terminating actions, once the system processes a terminating action within a term, processing of the entire firewall filter halts.

See Firewall Filter Terminating Actions.

Nonterminating

Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet.

All nonterminating actions include an implicit accept action. This accept action is carried out if no other terminating action is configured in the same term.

See Firewall Filter Nonterminating Actions.

Flow control

For standard firewall filters only, the next term action directs the router (or switch) to perform configured actions on the packet and then, rather than terminate the filter, use the next term in the filter to evaluate the packet. If the next term action is included, the matching packet is evaluated against the next term in the firewall filter. Otherwise, the matching packet is not evaluated against subsequent terms in the firewall filter.

For example, when you configure a term with the nonterminating action count, the term’s action changes from an implicit discard to an implicit accept. The next term action forces the continued evaluation of the firewall filter.

You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term.

A maximum of 1024 next term actions are supported per standard firewall filter configuration. If you configure a standard firewall filter that exceeds this limit, your candidate configuration results in a commit error.

Note: On Junos OS Evolved, next term cannot appear as the last term of the action. A filter term where next term is specified as an action but without any match conditions configured is not supported.