Firewall Filter Match Conditions for IPv4 Traffic
You can configure a firewall filter with match conditions for Internet Protocol version 4 (IPv4) traffic (family inet).
For MX Series routers with MPCs, you need to initialize the filter counter for Trio-only match filters in the MIB by walking the corresponding SNMP MIB, for example, show snmp mib walk name ascii. This forces Junos to learn the filter counters, and ensures that the filter statistics are displayed (this is because the first poll to filter statistics may not show all counters). This guidance applies to all enhanced mode firewall filters, filters with flexible conditions, and filters with certain terminating actions. See those topics, listed under Related Documentation, for details.
Table 1 describes the match-conditions you can configure at the [edit firewall family inet filter filter-name term term-name from] hierarchy level.
Table 1: Firewall Filter Match Conditions for IPv4 Traffic
Match Condition | Description | |
|---|---|---|
address address [ except ] | Match the IPv4 source or destination address field unless the except option is included. If the option is included, do not match the IPv4 source or destination address field. The except modifier is not supported on EX2300 and EX3400 platforms. | |
ah-spi spi-value | (M Series routers, except M120 and M320) Match the IPsec authentication header (AH) security parameter index (SPI) value. Note: This match condition is not supported on PTX series routers. | |
ah-spi-except spi-value | (M Series routers, except M120 and M320) Do not match the IPsec AH SPI value. Note: This match condition is not supported on PTX series routers. | |
apply-groups | Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups. | |
apply-groups-except | Specify which groups not to inherit configuration data from. You can specify more than one group name. | |
destination-address address [ except ] | Match the IPv4 destination address field unless the except option is included. If the option is included, do not match the IPv4 destination address field. You cannot specify both the address and destination-address match conditions in the same term. | |
destination-class class-names | Match one or more specified destination class names (sets of destination prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes. | |
destination-class-except class-names | Do not match one or more specified destination class names. For details, see the destination-class match condition. | |
destination-port number | Match the UDP or TCP destination port field. You cannot specify both the port and destination-port match conditions in the same term. If you configure this match condition, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. Note: For Junos OS Evolved, you must configure the protocol match statement in the same term. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177). | |
destination-port-except number | Do not match the UDP or TCP destination port field. For details, see the destination-port match condition. | |
destination-prefix-list name [ except ] | Match destination prefixes in the specified list unless the except option is included. If the option is included, do not match the destination prefixes in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. | |
dscp number | Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. Support was added for filtering on Differentiated Services Code Point (DSCP) and forwarding class for Routing Engine sourced packets, including IS-IS packets encapsulated in generic routing encapsulation (GRE). Subsequently, when upgrading from a previous version of Junos OS where you have both a class of service (CoS) and firewall filter, and both include DSCP or forwarding class filter actions, the criteria in the firewall filter automatically takes precedence over the CoS settings. The same is true when creating new configurations; that is, where the same settings exist, the firewall filter takes precedence over the CoS, regardless of which was created first. You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
| |
dscp-except number | Do not match on the DSCP number. For more information, see the dscp match condition. | |
esp-spi spi-value | Match the IPsec encapsulating security payload (ESP) SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form. Note: This match condition is not supported on PTX series routers. | |
esp-spi-except spi-value | Match the IPsec ESP SPI value. Do not match on this specific SPI value. Note: This match condition is not supported on PTX series routers. | |
first-fragment | Match if the packet is the first fragment of a fragmented packet. Do not match if the packet is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0. This match condition is an alias for the bit-field match condition fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment. | |
flexible-match-mask value | bit-length | Length of the data to be matched in bits, not needed for string input (0..128) |
bit-offset | Bit offset after the (match-start + byte) offset (0..7) | |
byte-offset | Byte offset after the match start point | |
flexible-mask-name | Select a flexible match from predefined template field | |
mask-in-hex | Mask out bits in the packet data to be matched | |
match-start | Start point to match in packet | |
prefix | Value data/string to be matched | |
flexible-match-range value | bit-length | Length of the data to be matched in bits (0..32) |
bit-offset | Bit offset after the (match-start + byte) offset (0..7) | |
byte-offset | Byte offset after the match start point | |
flexible-range-name | Select a flexible match from predefined template field | |
match-start | Start point to match in packet | |
range | Range of values to be matched | |
range-except | Do not match this range of values | |
forwarding-class class | Match the forwarding class of the packet. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues. | |
forwarding-class-except class | Do not match the forwarding class of the packet. For details, see the forwarding-class match condition. | |
fragment-flags number | (Ingress only) Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8). | |
fragment-offset value | Match the 13-bit fragment offset field in the IP header. The value is the offset, in 8-byte units, in the overall datagram message to the data fragment. Specify a numeric value, a range of values, or a set of values. An offset value of 0 indicates the first fragment of a fragmented packet. The first-fragment match condition is an alias for the fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment). | |
fragment-offset-except number | Do not match the 13-bit fragment offset field. | |
gre-key range | Match the gre-key field. The GRE key field is a 4 octet number inserted by the GRE encapsulator. It is an optional field for use in GRE encapsulation. The range can be a single GRE key number or a range of key numbers. For MX Series routers with MPCs, initialize new firewall filters that include this condition by walking the corresponding SNMP MIB. | |
icmp-code number | Match the ICMP message code field. Note: When using this match condition, you should also use the protocol icmp match condition in the same term (as shown below) to ensure that icmp packets are being evaluated. term Allow _ICMP {
from protocol icmp {
icmp-code ip-header-bad;
icmp-type echo-reply;
}
then {
policer ICMP_Policier;
count Allow_ICMP;You must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
| |
icmp-code-except message-code | Do not match the ICMP message code field. For details, see the icmp-code match condition. | |
icmp-type number | Match the ICMP message type field. Note: When using this match condition, you should also use the protocol icmp match condition in the same term (as shown below) to ensure that icmp packets are being evaluated. term Allow _ICMP {
from protocol icmp {
icmp-code ip-header-bad;
icmp-type echo-reply;
}
then {
policer ICMP_Policier;
count Allow_ICMP;You must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type. Note: For Junos OS Evolved, you must configure the protocol match statement in the same term. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3). | |
icmp-type-except message-type | Do not match the ICMP message type field. For details, see the icmp-type match condition. | |
interface interface-name | Match the interface on which the packet was received. Note: If you configure this match condition with an interface that does not exist, the term does not match any packet. | |
interface-group group-number | Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255. To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level. Note: This match condition is not supported on PTX series routers. For more information, see Filtering Packets Received on a Set of Interface Groups Overview. | |
interface-group-except group-number | Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition. Note: This match condition is not supported on PTX series routers. | |
interface-set interface-set-name | Match the interface on which the packet was received to the specified interface set. To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level. Note: This match condition is not supported on PTX series routers. For more information, see Filtering Packets Received on an Interface Set Overview. | |
ip-options values | Match the 8-bit IP option field, if present, to the specified value or list of values. In place of a numeric value, you can specify one of the following text synonyms (the option values are also listed): loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68). To match any value for the IP option, use the text synonym any. To match on multiple values, specify the list of values within square brackets ('[’ and ']’). To match a range of values, use the value specification [ value1-value2 ]. For example, the match condition ip-options [ 0-147 ] matches on an IP options field that contains the loose-source-route, record-route, or security values, or any other value from 0 through 147. However, this match condition does not match on an IP options field that contains only the router-alert value (148). For most interfaces, a filter term that specifies an ip-option match on one or more specific IP option values (a value other than any) causes packets to be sent to the Routing Engine so that the kernel can parse the IP option field in the packet header.
The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 100-Gigabit Ethernet MPC, 60-Gigabit Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers are capable of parsing the IP option field of the IPv4 packet header. For interfaces configured on those MPCs, all packets that are matched using the ip-options match condition are sent to the Packet Forwarding Engine for processing. Note: On M and T series routers, firewall filters cannot count ip-options packets on a per option type and per interface basis. A limited work around is to use the show pfe statistics ip options command to see ip-options statistics on a per PFE basis. See show pfe statistics ip for sample output. The ip-options any match condition is supported on PTX10003 and PTX10008 Series routers starting with Junos Evolved OS Release 20.2R1. | |
ip-options-except values | Do not match the IP option field to the specified value or list of values. For details about specifying the values, see the ip-options match condition. | |
is-fragment | Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero. Note: To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment). | |
loss-priority level | Match the packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers. For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families. For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. | |
loss-priority-except level | Do not match the PLP level. For details, see the loss-priority match condition. | |
packet-length bytes | Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched. | |
packet-length-except bytes | Do not match the length of the received packet, in bytes. For details, see the packet-length match type. | |
port number | Match the UDP or TCP source or destination port field. If you configure this match condition, you cannot configure the destination-port match condition or the source-port match condition in the same term. If you configure this match condition, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. Note: For Junos OS Evolved, you must configure the protocol match statement in the same term. In place of the numeric value, you can specify one of the text synonyms listed under destination-port. | |
port-except number | Do not match either the source or destination UDP or TCP port field. For details, see the port match condition. | |
precedence ip-precedence-value | Match the IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form. | |
precedence-except ip-precedence-value | Do not match the IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form. | |
prefix-list name [ except ] | Match the prefixes of the source or destination address fields to the prefixes in the specified list unless the except option is included. If the option is included, do not match the prefixes of the source or destination address fields to the prefixes in the specified list. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. Note: This match condition is not supported on PTX1000 routers. | |
protocol number | Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112). | |
protocol-except number | Do not match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112). | |
rat-type tech-type-value | Match the radio-access technology (RAT) type specified in the 8-bit Tech-Type field of Proxy Mobile IPv4 (PMIPv4) access technology type extension. The technology type specifies the access technology through which the mobile device is connected to the access network. Specify a single value, a range of values, or a set of values. You can specify a technology type as a numeric value from 0 through 255 or as a system keyword.
| |
rat-type-except tech-type-value | Do not match the RAT Type. | |
service-filter-hit | Match a packet received from a filter where a service-filter-hit action was applied. Note: This match condition is not supported on PTX series routers. | |
source-address address [ except ] | Match the IPv4 address of the source node sending the packet unless the except option is included. If the option is included, do not match the IPv4 address of the source node sending the packet. You cannot specify both the address and source-address match conditions in the same term. | |
source-class class-names | Match one or more specified source class names (sets of source prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes. | |
source-class-except class-names | Do not match one or more specified source class names. For details, see the source-class match condition. | |
source-port number | Match the UDP or TCP source port field. You cannot specify the port and source-port match conditions in the same term. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. Note: For Junos OS Evolved, you must configure the protocol match statement in the same term. In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition. | |
source-port-except number | Do not match the UDP or TCP source port field. For details, see the source-port match condition. | |
source-prefix-list name [ except ] | Match source prefixes in the specified list unless the except option is included. If the option is included, do not match the source prefixes in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. | |
tcp-established | Match TCP packets of an established TCP session (packets other than the first packet of a connection). This is an alias for tcp-flags "(ack | rst)". This match condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition. | |
tcp-flags value | Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions. If you configure this match condition, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port. For IPv4 traffic only, this match condition does not implicitly check whether the datagram contains the first fragment of a fragmented packet. To check for this condition for IPv4 traffic only, use the first-fragment match condition. | |
tcp-initial | Match the initial packet of a TCP connection. This is an alias for tcp-flags "(!ack & syn)". This condition does not implicitly check that the protocol is TCP. If you configure this match condition, we recommend that you also configure the protocol tcp match condition in the same term. | |
ttl number | Match the IPv4 time-to-live number. Specify a TTL value or a range of TTL values. For number, you can specify one or more values from 0 through 255. This match condition is supported only on M120, M320, MX Series, and T Series routers. | |
ttl-except number | Do not match on the IPv4 TTL number. For details, see the ttl match condition. | |