Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Firewall Filter Match Conditions and Actions

    Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

    When a packet matches a filter, a switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default.

    This topic describes the various match conditions, actions, and action modifiers that you can define in a firewall filter.

    • Table 1 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement.
    • Table 2 shows the actions that you can specify in a term.
    • Table 3 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.

    Table 1: Supported Match Conditions for Firewall Filters

    Match Condition

    Description

    Direction and Interface

    destination-address
    ip-address

    IP destination address field, which is the address of the final destination node.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    destination-mac-address mac-address

    Destination media access control (MAC) address of the packet.

    Ingress ports, VLANs and IPv4 (inet) interfaces.

    Egress ports and VLANs.

    destination-port value

    TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed):

    afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

    cmd (514), cvspserver (2401),

    dhcp (67), domain (53),

    eklogin (2105), ekshell (2106), exec (512),

    finger (79), ftp (21), ftp-data (20),

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

     

    http (80), https (443),

    ident (113), imap (143),

    kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

    ldap (389), login (513),

    mobileip-agent (434), mobilip-mn (435), msdp (639),

    netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

    pop3 (110), pptp (1723), printer (515),

    radacct (1813),radius (1812), rip (520), rkinit (2108),

    smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

    tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

    who (513),

    xdmcp (177),

    zephyr-clt (2103), zephyr-hm (2104)

    		 

    destination-prefix-list prefix-list

    IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

    dot1q-tag number

    802.1Q VLAN ID field in the Ethernet frame. The tag values can be 1–4094.

    Ingress ports and VLANs.

    Egress ports and VLANs (Number must be the VLAN ID of the VLAN you want to match).

    dot1q-user-priority number

    802.1Q priority field in the Ethernet frame (used for class-of-service priorities). Values can be 0–7.

    In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

    • best-effort (0)—Best effort
    • background (1)—Background
    • standard (2)—Standard or spare
    • excellent-load (3)—Excellent load
    • controlled-load (4)—Controlled load
    • video (5)—Video
    • voice (6)—Voice
    • network-control (7)—Network control reserved traffic

    Ingress ports and VLANs.

    Egress ports and VLANs.

    dscp value

    Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

    You can specify DSCP in hexadecimal, binary, or decimal form.

    In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

    • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.
    • af11 (10), af12 (12), af13 (14);

      af21 (18), af22 (20), af23 (22);

      af31 (26), af32 (28), af33 (30);

      af41 (34), af42 (36), af43 (38)

      These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

    Ingress ports, VLANs, and IPv4 (inet) interfaces.

    Egress IPv4 (inet) interfaces.

    ether-type value

    Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

    • aarp (0x80F3)—EtherType value AARP
    • appletalk (0x809B)—EtherType value AppleTalk
    • arp (0x0806)—EtherType value ARP
    • fcoe (0x8906)—EtherType value FCoE
    • fip (0x8914)—EtherType value FIP
    • ipv4 (0x0800)—EtherType value IPv4
    • ipv6 (0x08DD)—EtherType value IPv6
    • mpls-multicast (0x8848)—EtherType value MPLS multicast
    • mpls-unicast (0x8847)—EtherType value MPLS unicast
    • oam (0x88A8)—EtherType value OAM
    • ppp (0x880B)—EtherType value PPP
    • pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage
    • pppoe-session (0x8864)—EtherType value PPPoE Session Stage
    • sna (0x80D5)—EtherType value SNA

    Ingress ports and VLANs.

    Egress ports and VLANs.

    fragment-flags value

    IP fragmentation flags. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed):

    • is-fragment
    • dont-fragment (0x4000)
    • more-fragments (0x2000)
    • reserved (0x8000)

    Ingress ports and VLANs.

    icmp-code value

    ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

    • IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)
    • IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)
    • redirectredirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)
    • time-exceededttl-eq-zero-
      during-reassembly (1)      , ttl-eq-zero-during-transit (0)
    • IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)
    • IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    icmp-type value

    ICMP message type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

    IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

    IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

    See also icmp-code variable.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    interface interface-name

    Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit.

    Note: An interface from which a packet is sent cannot be used as a match condition.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces.

    ip-options

    Specify any to create a match if anything is specified in the options field in the IP header.

    Ingress ports, VLANs, and IPv4 (inet) interfaces.

    Egress IPv4 (inet) interfaces.

    is-fragment

    Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero.

    Ingress ports, VLANs, and IPv4 (inet) interfaces.

    Egress IPv4 (inet) interfaces.

    l2-encap-type llc-non-snap

    Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type.

    Ingress ports and VLANs.

    Egress ports and VLANs.

    next-header

    IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

    hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

    Ingress ports, VLANs, and IPv6 (inet6) interfaces.

    Egress IPv6 (inet6) interfaces.

    packet-length

    Packet length in bytes. You must enter a value between 0 and 65535.

    Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    payload-protocol

    IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

    hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

    Ingress ports, VLANs, and IPv6 (inet6) interfaces.

    Egress IPv6 (inet6) interfaces.

    precedence value

    IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

    • routine (0)
    • priority (1)
    • immediate (2)
    • flash (3)
    • flash-override (4)
    • critical-ecp (5)
    • internet-control (6)
    • net-control (7)

    Ingress ports, VLANs, and IPv4 (inet) interfaces.

    Egress IPv4 (inet) interfaces.

    protocol type

    IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

    hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

    Ingress ports, VLANs and IPv4 (inet) interfaces.

    Egress IPv4 (inet) interfaces.

    source-address
    ip-address

    IP source address field, which is the address of the node that sent the packet.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces..

    Egress IPv4 (inet) interfaces.

    source-mac-address mac-address

    Source media access control (MAC) address of the packet.

    Ingress ports and VLANs.

    Egress ports and VLANs.

    source-port value

    TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    source-prefix-list prefix-list

    IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    tcp-established

    Match packets of an established TCP connection. This condition matches packets other than those used to set up a TCP connection—that is, three-way handshake packets are not matched.

    When you specify tcp-established, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    tcp-flags value

    One or more TCP flags:

    • ack (0x10)
    • fin (0x01)
    • push (0x08)
    • rst (0x04)
    • syn (0x02)
    • urgent (0x20)

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    tcp-initial

    Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set.

    When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

    Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces.

    Egress IPv4 (inet) interfaces.

    traffic-class

    8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

    You can specify one of the following text synonyms (the field values are also listed):

    af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

    Ingress ports, VLANs, and IPv6 (inet6) interfaces.

    Egress IPv6 (inet6) interfaces.

    ttl value

    IP Time-to-live (TTL) field in decimal. The value can be 1-255.

    Ingress IPv4 (inet) interfaces.

    Egress IPv4 (inet) interfaces.

    vlan (vlan-name | vlan-id )

    VLAN names or ID.

    Ingress ports and VLANs.

    Egress ports and VLANs.

    Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 2 shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)

    Table 2: Actions for Firewall Filters

    Action

    Description

    accept

    Accept a packet. This is the default action for packets that match a term.

    discard

    Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

    reject message-type

    Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

    You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

    If you specify tcp-reset, the system sends a TCP reset if the packet is a TCP packet; otherwise nothing is sent.

    If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

    Note: The reject action is supported on ingress interfaces only.

    routing-instance instance-name

    Forward matched packets to a virtual routing instance.

    routing-instance instance-name

    Forward matched packets to a virtual routing instance.

    vlan VLAN-name

    Forward matched packets to a specific VLAN.

    Note: The vlan action is supported on ingress interfaces only.

    You can also specify the action modifiers listed in Table 3 to count, mirror, rate-limit, and classify packets.

    Table 3: Action Modifiers for Firewall Filters

    Action Modifier

    Description

    analyzer analyzer-name

    Mirror traffic (copy packets) to an analyzer configured at the [edit ethernet-switching-options analyzer] hierarchy level.

    You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only.

    count counter-name

    Count the number of packets that match the term.

    forwarding-class class

    Classify the packet in one of the following forwarding classes:

    • assured-forwarding
    • best-effort
    • expedited-forwarding
    • network-control

    Note: The forwarding-class action modifier is supported on ingress interfaces only.

    log

    Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

    Note: The log action modifier is supported on ingress interfaces only.

    loss-priority (low | medium-low | medium-high | high)

    Set the packet loss priority (PLP).

    Note: The loss-priority action modifier is supported on ingress interfaces only.

    Note: The loss-priority action modifier is not supported in combination with the policer action.

    policer policer-name

    Send packets to a policer (for the purpose of applying rate limiting).

    You can specify a policer for ingress port, VLAN, and IPv4 (inet) firewall filters only.

    Note: The policer action modifier is not supported in combination with the loss-priority action.

    syslog

    Log an alert for this packet.

    Note: The syslog action modifier is supported on ingress interfaces only.

    three-color-policer three-color-policer-name

    Send packets to a three-color policer (for the purpose of applying rate limiting).

    You can specify a three-color policer for ingress and egress port, VLAN, and IPv4 (inet) firewall filters.

    Note: The policer action modifier is not supported in combination with the loss-priority action.

     

    Related Documentation

     

    Published: 2013-08-06

    Previous Page Next Page