Configuring Stateful Firewall Rules for JSF
To configure a stateful firewall rule, include the rule rule-name statement at the [edit services stateful-firewall] hierarchy level:
Each stateful firewall rule consists of a set of terms, similar to a filter configured at the [edit firewall] hierarchy level. A term consists of the following:
- from statement—Specifies the match conditions and applications that are included and excluded. The from statement is optional in stateful firewall rules.
- then statement—Specifies the actions and action modifiers to be performed by the router software. The then statement is mandatory in stateful firewall rules.
The following sections explain how to configure the components of stateful firewall rules:
Configuring Match Direction for Stateful Firewall Rules
Each rule must include a match-direction statement that specifies the direction in which the rule match is applied. To configure where the match is applied, include the match-direction statement at the [edit services stateful-firewall rule rule-name] hierarchy level:
If you configure match-direction input-output, sessions initiated from both directions might match this rule.
The match direction is used with respect to the traffic flow through the AS or Multiservices PIC. When a packet is sent to the PIC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the AS or Multiservices PIC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC, the packet direction is output.
On the PIC, a flow lookup is performed. If no flow is found, rule processing is performed. Rules in this service set are considered in sequence until a match is found. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered. Most packets result in the creation of bidirectional flows.
Configuring Match Conditions in Stateful Firewall Rules
To configure stateful firewall match conditions, include the from statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:
The source address and destination address can be either IPv4
or IPv6. You can use either the source address or the destination
address as a match condition, in the same way that you would configure
a firewall filter; for more information, see the Junos OS Policy Framework Configuration Guide 
.
You can use the wildcard value any-unicast, which denotes
matching all unicast addresses.
Alternatively, you can specify a list of source or destination prefixes by configuring the prefix-list statement at the [edit policy-options] hierarchy level and then including either the destination-prefix-list or the source-prefix-list statement in the stateful firewall rule. For an example, see Examples: Configuring Stateful Firewall Rules for JSF.
If you omit the from term, the stateful firewall accepts all traffic and the default protocol handlers take effect:
- User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow.
You can also include application protocol definitions you have configured at the [edit applications] hierarchy level.
- To apply one or more specific application protocol definitions, include the applications statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.
- To apply one or more sets of application protocol definitions
you have defined, include the application-sets statement
at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level.
Note: If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the [edit applications] hierarchy level; you cannot specify these properties as match conditions.
Configuring Actions in Stateful Firewall Rules
To configure stateful firewall actions, include the then statement at the [edit services stateful-firewall rule rule-name term term-name] hierarchy level:
You must include one of the following three possible actions:
- accept—The packet is accepted and sent on to its destination.
- discard—The packet is not accepted and is not processed further.
- reject—The packet is not accepted and a rejection message is returned; UDP sends an ICMP unreachable code and TCP sends RST. Rejected packets can be logged or sampled.
You can optionally configure the firewall to record information in the system logging facility by including the syslog statement at the [edit services stateful-firewall rule rule-name term term-name then] hierarchy level. This statement overrides any syslog setting included in the service set or interface default configuration.
