Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List
This example shows how to configure a standard stateless firewall filter that limits certain TCP and Internet Control Message Protocol (ICMP) traffic destined for the Routing Engine by specifying a list of prefix sources that contain allowed BGP peers.
No special configuration beyond device initialization is required before configuring this example.
In this example, you create a stateless firewall filter that blocks all TCP connection attempts to port 179 from all requesters except BGP peers that have a specified prefix.
A source prefix list, plist_bgp179, is created that specifies the list of source prefixes that contain allowed BGP peers.
The stateless firewall filter filter_bgp179 matches all packets from the source prefix list plist_bgp179 to the destination port number 179.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the  hierarchy level.
Configure the Filter
The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the filter:
Define the filter term that rejects TCP connection attempts to port 179 from all requesters except the specified BGP peers.[edit firewall family inet filter filter_bgp179]user@host# set term term1 from source-address 0.0.0.0/0user@host# set term term1 from source-prefix-list bgp179 exceptuser@host# set term term1 from destination-port bgpuser@host# set term term1 then reject
Define the other filter term to accept all packets.[edit firewall family inet filter filter_bgp179]user@host# set term term2 then accept
Apply the firewall filter to the loopback interface.[edit interfaces lo0 unit 0 family inet]user@host# set filter input filter_bgp179user@host# set address 127.0.0.1/32
From configuration mode, confirm your configuration by entering the show firewall, show interfaces, and show policy-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
If you are done configuring the device, enter commit from configuration mode.
Confirm that the configuration is working properly.
Displaying the Firewall Filter Applied to the Loopback Interface
Verify that the firewall filter filter_bgp179 is applied to the IPv4 input traffic at logical interface lo0.0.
Use the show interfaces statistics operational mode command for logical interface lo0.0, and include the detail option. Under the Protocol inet section of the command output section, the Input Filters field displays the name of the stateless firewall filter applied to the logical interface in the input direction.
user@host> show interfaces statistics lo0.0 detail
Logical interface lo0.0 (Index 321) (SNMP ifIndex 16) (Generation 130) Flags: SNMP-Traps Encapsulation: Unspecified Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet, MTU: Unlimited, Generation: 145, Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter_bgp179 Addresses, Flags: Primary Destination: Unspecified, Local: 127.0.0.1, Broadcast: Unspecified, Generation: 138