Configuring Firewall Filters
You can configure firewall filters in a switch to control traffic that enters or exits Layer 3 (routed) interfaces. To use a firewall filter, you must configure the filter and then apply it to a Layer 3 interface.
Configuring a Firewall Filter
To configure a firewall filter:
- Configure the family address type, filter name, term name, and at least one match
condition—for example, match on packets that contain a specific source address:
Specify the family address type inet for IPv4 or inet6 for IPv6.
The filter and term names can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. Each filter name must be unique. A filter can contain one or more terms, and each term name must be unique within a filter.
- Configure additional match conditions. For example, match on packets that contain
a specific source port:
[edit firewall family inet filter ingress-port-filter term t1 from]
user@switch# set source-port 80You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term. The from statement is optional, but if included in a term, it cannot be empty. If you omit the from statement, all packets are considered to match.
- If you want to apply a firewall filter to multiple interfaces and be able to see
counters specific to each interface, configure the interface-specific option:
[edit firewall family inet filter ingress-port-filter]
user@switch# set interface-specific - In each firewall filter term, specify the actions to take if the packet matches
all the conditions in that term. You can specify an action and action modifiers:
To specify a filter action, for example, to discard packets that match the conditions of the filter term:
[edit firewall family inet filter ingress-port-filter term t1 then]
user@switch# set discardYou can specify no more than one action (accept, discard, reject, routing-instance, or vlan) per term.
To specify action modifiers, for example, to count and classify packets to a forwarding class. For example:
[edit firewall family inet filter ingress-port-filter term t1 then]
user@switch# set count counter-one
user@switch# set loss-priority high
If you omit the then statement or do not specify an action, packets that match all the conditions in the from statement are accepted. However, you should always explicitly configure an action in the then statement. You can include no more than one action statement, but you can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.
Note Implicit discard is also applicable to a firewall filter applied to the loopback interface, lo0.
For the complete list of match conditions, actions, and action modifiers, see Firewall Filter Match Conditions and Actions (QFX5100, QFX5110, QFX5120, QFX5200, EX4600, EX4650). Note that on the OCX1100 switch you can use only those match conditions that are valid for IPv4 and IPv6 interfaces.
Applying a Firewall Filter to a Layer 3 (Routed) Interface
To apply a firewall filter to a Layer 3 interface:
- Provide a meaningful description of the firewall filter in the configuration of
the interface to which the filter will be applied:
[edit]
user@switch# set interfaces xe-0/0/1 description "filter to count and monitor traffic on layer 3 interface" - You can apply firewall filters to filter packets that enter or exit a Layer 3
interface:
To apply a firewall filter to filter packets that enter a Layer 3 interface:
[edit]
user@switch# set interfaces xe-0/0/1 unit 0 family inet filter input ingress-router-filterTo apply a firewall filter to filter packets that exit a Layer 3 interface:
[edit]
user@switch# set interfaces xe-0/0/2 unit 0 family inet filter output egress-router-filter
Note You can apply only one filter to an interface for a given direction (ingress or egress).