Firewall Filter Match Conditions for IPv4 Traffic

 

You can configure a firewall filter with match conditions for Internet Protocol version 4 (IPv4) traffic (family inet).

Note

For MX Series routers with MPCs, you need to initialize certain new firewall filters by walking the corresponding SNMP MIB, for example, show snmp mib walk name ascii. This forces Junos to learn the filter counters and ensure that the filter statistics are displayed. This guidance applies to all enhanced mode firewall filters, filters with flexible conditions, and filters with the certain terminating actions. See those topics, listed under Related Documentation, for details.

Table 1 describes the match-conditions you can configure at the [edit firewall family inet filter filter-name term term-name from] hierarchy level.

Table 1: Firewall Filter Match Conditions for IPv4 Traffic

Match Condition

Description

address address [ except ]

Match the IPv4 source or destination address field unless the except option is included. If the option is included, do not match the IPv4 source or destination address field.

Note: This match condition is not supported on PTX1000 routers.

ah-spi spi-value

(M Series routers, except M120 and M320) Match the IPsec authentication header (AH) security parameter index (SPI) value.

Note: This match condition is not supported on PTX series routers.

ah-spi-except spi-value

(M Series routers, except M120 and M320) Do not match the IPsec AH SPI value.

Note: This match condition is not supported on PTX series routers.

apply-groups

Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups.

apply-groups-except

Specify which groups not to inherit configuration data from. You can specify more than one group name.

destination-address address [ except ]

Match the IPv4 destination address field unless the except option is included. If the option is included, do not match the IPv4 destination address field.

You cannot specify both the address and destination-address match conditions in the same term.

Note: The except option is not supported on PTX1000 routers.

destination-class class-names

Match one or more specified destination class names (sets of destination prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes.

destination-class-except class-names

Do not match one or more specified destination class names. For details, see the destination-class match condition.

destination-port number

Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

If you configure this match condition, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

Note: For Junos OS Evolved, you must configure the protocol match statement in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-port-except number

Do not match the UDP or TCP destination port field. For details, see the destination-port match condition.

destination-prefix-list name [ except ]

Match destination prefixes in the specified list unless the except option is included. If the option is included, do not match the destination prefixes in the specified list.

Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

dscp number

Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

Support was added for filtering on Differentiated Services Code Point (DSCP) and forwarding class for Routing Engine sourced packets, including IS-IS packets encapsulated in generic routing encapsulation (GRE). Subsequently, when upgrading from a previous version of Junos OS where you have both a class of service (CoS) and firewall filter, and both include DSCP or forwarding class filter actions, the criteria in the firewall filter automatically takes precedence over the CoS settings. The same is true when creating new configurations; that is, where the same settings exist, the firewall filter takes precedence over the CoS, regardless of which was created first.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

    • af11 (10), af12 (12), af13 (14)

    • af21 (18), af22 (20), af23 (22)

    • af31 (26), af32 (28), af33 (30)

    • af41 (34), af42 (36), af43 (38)

dscp-except number

Do not match on the DSCP number. For more information, see the dscp match condition.

esp-spi spi-value

Match the IPsec encapsulating security payload (ESP) SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form.

Note: This match condition is not supported on PTX series routers.

esp-spi-except spi-value

Match the IPsec ESP SPI value. Do not match on this specific SPI value.

Note: This match condition is not supported on PTX series routers.

first-fragment

Match if the packet is the first fragment of a fragmented packet. Do not match if the packet is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0.

This match condition is an alias for the bit-field match condition fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment.

flexible-match-mask value

bit-length

Length of the data to be matched in bits, not needed for string input (0..128)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-mask-name

Select a flexible match from predefined template field

mask-in-hex

Mask out bits in the packet data to be matched

match-start

Start point to match in packet

prefix

Value data/string to be matched

flexible-match-range value

bit-length

Length of the data to be matched in bits (0..32)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-range-name

Select a flexible match from predefined template field

match-start

Start point to match in packet

range

Range of values to be matched

range-except

Do not match this range of values

forwarding-class class

Match the forwarding class of the packet.

Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

Note: This match condition is not supported on PTX1000 routers.

For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues.

forwarding-class-except class

Do not match the forwarding class of the packet. For details, see the forwarding-class match condition.

Note: This match condition is not supported on PTX1000 routers.

fragment-flags number

(Ingress only) Match the three-bit IP fragmentation flags field in the IP header.

In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8).

fragment-offset value

Match the 13-bit fragment offset field in the IP header. The value is the offset, in 8-byte units, in the overall datagram message to the data fragment. Specify a numeric value, a range of values, or a set of values. An offset value of 0 indicates the first fragment of a fragmented packet.

The first-fragment match condition is an alias for the fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

Note: This match condition is not supported on PTX1000 routers.

fragment-offset-except number

Do not match the 13-bit fragment offset field.

Note: This match condition is not supported on PTX1000 routers.

gre-key range

Match the gre-key field. The GRE key field is a 4 octet number inserted by the GRE encapsulator. It is an optional field for use in GRE encapsulation. The range can be a single GRE key number or a range of key numbers.

For MX Series routers with MPCs, initialize new firewall filters that include this condition by walking the corresponding SNMP MIB.

icmp-code number

Match the ICMP message code field.

Note: When using this match condition, you should also use the protocol icmp match condition in the same term (as shown below) to ensure that icmp packets are being evaluated.

term Allow _ICMP {
                from protocol icmp {
                    icmp-code ip-header-bad;
                    icmp-type echo-reply;
                }
                then {
                    policer ICMP_Policier;
                    count Allow_ICMP;

You must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip-header-bad (0), required-option-missing (1)

  • redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

icmp-code-except message-code

Do not match the ICMP message code field. For details, see the icmp-code match condition.

icmp-type number

Match the ICMP message type field.

Note: When using this match condition, you should also use the protocol icmp match condition in the same term (as shown below) to ensure that icmp packets are being evaluated.

term Allow _ICMP {
                from protocol icmp {
                    icmp-code ip-header-bad;
                    icmp-type echo-reply;
                }
                then {
                    policer ICMP_Policier;
                    count Allow_ICMP;

You must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

Note: For Junos OS Evolved, you must configure the protocol match statement in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

icmp-type-except message-type

Do not match the ICMP message type field. For details, see the icmp-type match condition.

interface interface-name

Match the interface on which the packet was received.

Note: If you configure this match condition with an interface that does not exist, the term does not match any packet.

interface-group group-number

Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255.

To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level.

Note: This match condition is not supported on PTX series routers.

For more information, see Filtering Packets Received on a Set of Interface Groups Overview.

interface-group-except group-number

Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition.

Note: This match condition is not supported on PTX series routers.

interface-set interface-set-name

Match the interface on which the packet was received to the specified interface set.

To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level.

Note: This match condition is not supported on PTX series routers.

For more information, see Filtering Packets Received on an Interface Set Overview.

ip-options values

Match the 8-bit IP option field, if present, to the specified value or list of values.

In place of a numeric value, you can specify one of the following text synonyms (the option values are also listed): loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68).

To match any value for the IP option, use the text synonym any. To match on multiple values, specify the list of values within square brackets ('[’ and ']’). To match a range of values, use the value specification value1-value2 ].

For example, the match condition ip-options [ 0-147 ] matches on an IP options field that contains the loose-source-route, record-route, or security values, or any other value from 0 through 147. However, this match condition does not match on an IP options field that contains only the router-alert value (148).

For most interfaces, a filter term that specifies an ip-option match on one or more specific IP option values (a value other than any) causes packets to be sent to the Routing Engine so that the kernel can parse the IP option field in the packet header.

  • For a firewall filter term that specifies an ip-option match on one or more specific IP option values, you cannot specify the count, log, or syslog nonterminating actions unless you also specify the discard terminating action in the same term. This behavior prevents double-counting of packets for a filter applied to a transit interface on the router.

  • Packets processed on the kernel might be dropped in case of a system bottleneck. To ensure that matched packets are instead sent to the Packet Forwarding Engine (where packet processing is implemented in hardware), use the ip-options any match condition.

The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 100-Gigabit Ethernet MPC, 60-Gigabit Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers are capable of parsing the IP option field of the IPv4 packet header. For interfaces configured on those MPCs, all packets that are matched using the ip-options match condition are sent to the Packet Forwarding Engine for processing.

Note: On M and T series routers, firewall filters cannot count ip-options packets on a per option type and per interface basis. A limited work around is to use the show pfe statistics ip options command to see ip-options statistics on a per PFE basis. See show pfe statistics ip for sample output.

ip-options-except values

Do not match the IP option field to the specified value or list of values. For details about specifying the values, see the ip-options match condition.

is-fragment

Match if the packet is a trailing fragment of a fragmented packet. Do  not match the first fragment of a fragmented packet.

Note: To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

loss-priority level

Match the packet loss priority (PLP) level.

Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

Note: This match condition is not supported on PTX series routers.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

loss-priority-except level

Do not match the PLP level. For details, see the loss-priority match condition.

Note: This match condition is not supported on PTX series routers.

packet-length bytes

Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.

packet-length-except bytes

Do not match the length of the received packet, in bytes. For details, see the packet-length match type.

Note: This match condition is not supported on PTX1000 routers.

port number

Match the UDP or TCP source or destination port field.

If you configure this match condition, you cannot configure the destination-port match condition or the source-port match condition in the same term.

If you configure this match condition, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

Note: For Junos OS Evolved, you must configure the protocol match statement in the same term.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

port-except number

Do not match either the source or destination UDP or TCP port field. For details, see the port match condition.

precedence ip-precedence-value

Match the IP precedence field.

In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form.

precedence-except ip-precedence-value

Do not match the IP precedence field.

In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form.

prefix-list name [ except ]

Match the prefixes of the source or destination address fields to the prefixes in the specified list unless the except option is included. If the option is included, do not match the prefixes of the source or destination address fields to the prefixes in the specified list.

The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Note: This match condition is not supported on PTX1000 routers.

protocol number

Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

protocol-except number

Do not match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

rat-type tech-type-value

Match the radio-access technology (RAT) type specified in the 8-bit Tech-Type field of Proxy Mobile IPv4 (PMIPv4) access technology type extension. The technology type specifies the access technology through which the mobile device is connected to the access network.

Specify a single value, a range of values, or a set of values. You can specify a technology type as a numeric value from 0 through 255 or as a system keyword.

  • The following numeric values are examples of well-known technology types:

    • Numeric value 1 matches IEEE 802.3.

    • Numeric value 2 matches IEEE 802.11a/b/g.

    • Numeric value 3 matches IEEE 802.16e

    • Numeric value 4 matches IEEE 802.16m.

  • Text string eutran matches 4G.

  • Text string geran matches 2G.

  • Text string utran matches 3G.

rat-type-except tech-type-value

Do not match the RAT Type.

service-filter-hit

Match a packet received from a filter where a service-filter-hit action was applied.

Note: This match condition is not supported on PTX series routers.

source-address address [ except ]

Match the IPv4 address of the source node sending the packet unless the except option is included. If the option is included, do not match the IPv4 address of the source node sending the packet.

You cannot specify both the address and source-address match conditions in the same term.

Note: The except option is not supported on PTX1000 routers.

source-class class-names

Match one or more specified source class names (sets of source prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes.

source-class-except class-names

Do not match one or more specified source class names. For details, see the source-class match condition.

source-port number

Match the UDP or TCP source port field.

You cannot specify the port and source-port match conditions in the same term.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

Note: For Junos OS Evolved, you must configure the protocol match statement in the same term.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

source-port-except number

Do not match the UDP or TCP source port field. For details, see the source-port match condition.

source-prefix-list name [ except ]

Match source prefixes in the specified list unless the except option is included. If the option is included, do not match the source prefixes in the specified list.

Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

tcp-established

Match TCP packets of an established TCP session (packets other than the first packet of a connection). This is an alias for tcp-flags "(ack | rst)".

This match condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition.

tcp-flags value

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions.

If you configure this match condition, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port.

For IPv4 traffic only, this match condition does not implicitly check whether the datagram contains the first fragment of a fragmented packet. To check for this condition for IPv4 traffic only, use the first-fragment match condition.

tcp-initial

Match the initial packet of a TCP connection. This is an alias for tcp-flags "(!ack & syn)".

This condition does not implicitly check that the protocol is TCP. If you configure this match condition, we recommend that you also configure the protocol tcp match condition in the same term.

ttl number

Match the IPv4 time-to-live number. Specify a TTL value or a range of TTL values. For number, you can specify one or more values from 0 through 255. This match condition is supported only on M120, M320, MX Series, and T Series routers.

ttl-except number

Do not match on the IPv4 TTL number. For details, see the ttl match condition.

Release History Table
Release
Description
Support was added for filtering on Differentiated Services Code Point (DSCP) and forwarding class for Routing Engine sourced packets, including IS-IS packets encapsulated in generic routing encapsulation (GRE).