Classic Filters Overview
The dynamic firewall feature supports classic filters, which are static filters that are applied to an interface dynamically. They are compiled at commit time and then, when a service is activated, an interface-specific clone of the filter is created and attached to a logical interface. This dynamic application is performed by associating input or output filters with a dynamic profile.
This overview covers:
Classic Filter Types
The following classic filter types are supported:
Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 switch ports. You can apply port firewall filters only in the ingress direction on a physical port.
VLAN firewall filter—VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, and leave a VLAN. You can apply VLAN firewall filters in both ingress and egress directions on a VLAN. VLAN firewall filters are applied to all packets that are forwarded to or forwarded from the VLAN.
Router (Layer 3) firewall filter—You can apply a router firewall filter in both ingress and egress directions on Layer 3 (routed) interfaces.
Classic Filter Components
When creating a classic filter, you first define the family address type (inet or inet6) and then you define one or more terms that specify the filtering criteria and the action to take when a match occurs.
Each term, or rule, consists of the following components:
Match conditions—Specifies values or fields that the packet must contain. You can define various match conditions, including:
IP source address field
IP destination address field
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field
IP protocol field
Internet Control Message Protocol (ICMP) packet type
Actions—Specifies what to do when a match condition occurs. Possible actions are to accept or discard a packet. In addition, packets can be counted to collect statistical information. If no action is specified for a term, the default action is to accept the packet.
Classic Filter Processing
The order of the terms within a classic filter is important. Packets are tested against each term in the order in which the terms are listed in the firewall filter configuration. When a firewall filter contains multiple terms, the router takes a top-down approach and compares a packet against the first term in the firewall filter. If the packet matches the first term, the router executes the action defined by that term to either accept or reject the packet, and no other terms are evaluated. If the router does not find a match between the packet and first term, it then compares the packet to the next term in the firewall filter by using the same match process. If no match occurs between the packet and the second term, the router continues to compare the packet to each successive term defined in the firewall filter until a match is found. If a packet does not match any terms in a firewall filter, the default action is to discard the packet.
You can also specify a precedence (from 0 through 255) for input and output filters within a dynamic profile to force filter processing in a particular order. Setting a lower precedence value for a filter gives it a higher precedence within the dynamic profile. Filters with lower precedence values are applied to interfaces before filters with higher precedence values. A precedence of zero (the default) gives the filter the highest precedence. If no precedence is specified, the filter receives a precedence of zero (highest precedence). Filters with matching precedence (zero or otherwise) are applied in random order.
Dynamic filters do not process outbound packets that are sourced from the routing engine. To filter outbound packets that are sourced from the routing engine, you can create static outbound filters for each interface.
Guidelines for Creating and Applying Classic Filters for Subscriber Interfaces
Dynamic configuration of firewall filters is supported. However, you can also continue to create static firewall filters for interfaces as you do normally, and then dynamically apply those filters to statically created interfaces using dynamic profiles. You can also use dynamic profiles to attach input and output filters through RADIUS.
When creating and applying filters, keep the following in mind:
Dynamic application of only input and output filters is supported.
The filters must be interface-specific.
You can create family-specific inet and inet6 filters.
You can create interface-specific filters at the unit level that apply to any family type (inet or inet6) configured on the interface.
You can add or remove both IPv4 and IPv6 filters with the same service activation or deactivation.
You can remove one filter type without impacting the other type of filter. For example, you can remove IPv6 filters and leave the current IPv4 filters active.
You can chain up to five input filters and four output filters together.
If you do not configure and apply a filter, the interface uses the default group filter configuration.
You cannot modify or delete a firewall filter while subscribers on the same logical interface are bound.