Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Firewall Filter Match Conditions and Actions (QFX10000 Switches)

 

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

When a packet matches a filter, the switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default.

This topic describes the various match conditions, actions, and action modifiers that you can define in firewall filters on QFX10000 switches. For similar information about other QFX switches, see Firewall Filter Match Conditions and Actions (QFX and EX Series Switches).

  • Table 1 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement.

  • Table 2 shows the actions that you can specify in a term.

  • Table 3 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.

Table 1: Supported Match Conditions (QFX10000 Switches)

Match Condition

Description

Direction and Interface

destination-address

ip-address

IP destination address field, which is the address of the final destination node.

Ingress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

destination-mac-address mac-address

Destination media access control (MAC) address of the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

destination-port value

TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

cmd (514), cvspserver (2401),

dhcp (67), domain (53),

eklogin (2105), ekshell (2106), exec (512),

finger (79), ftp (21), ftp-data (20),

http (80), https (443),

ident (113), imap (143),

kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

ldap (389), login (513),

mobileip-agent (434), mobilip-mn (435), msdp (639),

netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

pop3 (110), pptp (1723), printer (515),

radacct (1813),radius (1812), rip (520), rkinit (2108),

smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

who (513),

xdmcp (177),

zephyr-clt (2103), zephyr-hm (2104)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

ingress IRB interface for EVPN/VXLAN fabric, where applicable

destination-prefix-list prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

dscp value

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress ports, VLANs, and IPv4 (inet) interfaces.

ether-type value

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • aarp (0x80F3)—EtherType value AARP

  • appletalk (0x809B)—EtherType value AppleTalk

  • arp (0x0806)—EtherType value ARP

  • fcoe (0x8906)—EtherType value FCoE

  • fip (0x8914)—EtherType value FIP

  • ipv4 (0x0800)—EtherType value IPv4

  • ipv6 (0x08DD)—EtherType value IPv6

  • mpls-multicast (0x8848)—EtherType value MPLS multicast

  • mpls-unicast (0x8847)—EtherType value MPLS unicast

  • oam (0x88A8)—EtherType value OAM

  • ppp (0x880B)—EtherType value PPP

  • pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage

  • pppoe-session (0x8864)—EtherType value PPPoE Session Stage

  • sna (0x80D5)—EtherType value SNA

Ingress ports and VLANs.

Egress ports and VLANs.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • network-control

  • no-loss

Egress IPv4 (inet) and IPv6 (inet6) interfaces.

fragment-flags value

IP fragmentation flags. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed):

  • is-fragment

  • dont-fragment (0x4000)

  • more-fragments (0x2000)

  • reserved (0x8000)

Ingress ports, VLANs, and IPv4 (inet) interfaces.

hop-limit value

Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255.

Ingress and egress IPv6 (inet6) interfaces.

icmp-code value

ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)

  • IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • redirectredirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)

  • time-exceededttl-eq-zero-

    during-reassembly (1)
    , ttl-eq-zero-during-transit (0)

  • IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)

  • IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces

icmp-type value

ICMP message type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

See also icmp-code variable.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

interface interface-name

Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit.

Note: An interface from which a packet is sent cannot be used as a match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

ip-destination-address address

IPv4 address that is the final destination node address for the packet.

Ingress ports, egress ports, and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

ip-options

Specify any to create a match if anything is specified in the options field in the IP header.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

Ingress ports and VLANs.

Egress ports and VLANs.

ip-protocol number

IP protocol field.

Ingress ports and VLANs.

Egress ports and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

ip-source-address address

IPv4 address of the source node sending the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

ip-version address

IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface.

Ingress ports and VLANs.

Egress ports and VLANs.

is-fragment

Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero.

Ingress ports, VLANs, and IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

learn-1p-priority number

Matches the specified IEEE 802.1p VLAN priority bits in the range 0-7.

Ingress ports and VLANs.

Egress ports and VLANs.

learn-vlan-id number

Matches the ID of a normal VLAN or the ID of the outer (service) VLAN (for Q-in-Q VLANs). To use filter memory most efficiently and maximize the number of possible filters, use this condition in addition to user-id when you want to match on the inner (customer) VLAN ID. The acceptable values are 1-4095.

Ingress ports and VLANs.

Egress ports and VLANs.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

Note: The loss-priority action modifier is not supported in combination with the policer action.

Egress IPv4 (inet) and IPv6 (inet6) interfaces.

next-header value

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

packet-length number

Packet length in bytes. You must enter a number between 0 and 65535.

Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

precedence value

IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

  • routine (0)

  • priority (1)

  • immediate (2)

  • flash (3)

  • flash-override (4)

  • critical-ecp (5)

  • internet-control (6)

  • net-control (7)

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

protocol type

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

source-address

ip-address

IP source address field, which is the address of the node that sent the packet.

Ingress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

source-mac-address mac-address

Source media access control (MAC) address of the packet.

Ingress ports and VLANs.

Egress ports and VLANs.

source-port value

TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

source-prefix-list prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

tcp-established

Match packets of an established TCP connection. This condition matches packets other than those used to set up a TCP connection—that is, three-way handshake packets are not matched.

When you specify tcp-established, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-flags value

One or more TCP flags:

  • ack (0x10)

  • fin (0x01)

  • push (0x08)

  • rst (0x04)

  • syn (0x02)

  • urgent (0x20)

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

tcp-initial

Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set.

When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

Egress IPv4 (inet) interfaces.

traffic-class value

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

Ingress IPv6 (inet6) interfaces.

Egress IPv6 (inet6) interfaces.

ttl value

IP Time-to-live (TTL) field in decimal. The value can be 1-255.

Ingress IPv4 (inet) interfaces.

Egress IPv4 (inet) interfaces.

Ingress IRB interface for EVPN/VXLAN fabric, where applicable

user-vlan-id number

Matches the ID of the inner (customer) VLAN in a Q-in-Q VLAN. To use filter memory most efficiently and maximize the number of possible filters, use in combination with learn-vlan-id to match the outer (service) VLAN ID. The acceptable values are 1-4095.

Ingress ports and VLANs.

Egress ports and VLANs.

Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 2 shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)

Table 2: Actions

Action

Description

accept

Accept a packet. This is the default action for packets that match a term.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

reject message-type

Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

If you specify tcp-reset, the system sends a TCP reset if the packet is a TCP packet; otherwise nothing is sent.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

Note: The reject action is supported on ingress interfaces only.

routing-instance instance-name

Forward matched packets to a virtual routing instance. (The only supported instance type is virtual-router.) Packets can be forwarded to the default instance.

vlan VLAN-name

Forward matched packets to a specific VLAN.

Note: The vlan action is supported on ingress interfaces only.

Note: This action is not supported on OCX series switches.

You can also specify the action modifiers listed in Table 3 to count, mirror, rate-limit, and classify packets.

Table 3: Action Modifiers

Action Modifier

Description

count counter-name

Count the number of packets that match the term.

forwarding-class class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note: To configure a forwarding class, you must also configure loss priority.

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

Note: The log action modifier is supported on ingress interfaces only.

loss-priority (low | medium-low | medium-high | high)

Set the packet loss priority (PLP).

Note: The loss-priority action modifier is supported on ingress interfaces only.

Note: The loss-priority action modifier is not supported in combination with the policer action.

policer policer-name

Send packets to a policer (for the purpose of applying rate limiting).

You can specify a policer for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters.

Note: The policer action modifier is not supported in combination with the loss-priority action.

port-mirror

(ELS platforms) Mirror traffic (copy packets) to an output interface configured in a port-mirroring instance at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters.

port-mirror-instance port-mirror-instance-name

(ELS platforms) Mirror traffic to a port-mirroring instance configured at the [edit forwarding-options port-mirroring] hierarchy level.

You can specify port mirroring for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters.

Note:

syslog

Log an alert for this packet.

Note: The syslog action modifier is supported on ingress interfaces only.

three-color-policer three-color-policer-name

Send packets to a three-color policer (for the purpose of applying rate limiting).

You can specify a three-color policer for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) filters.

Note: The policer action modifier is not supported in combination with the loss-priority action.