 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
When applying a firewall filter, you can define an interface to be part of an interface group. Packets received on that interface are tagged as being part of the group. You then can match these packets using the interface-group match statement, as described in Table 29.
To define an interface to be part of an interface group, include the group statement at the [edit interfaces interface-name unit logical-unit-number family family-name filter] hierarchy level:
- [edit interfaces interface-name unit logical-unit-number family filter]
- group group-number;
- input filter-name;
- output filter-name;
In the group statement, specify the interface group number to be associated with the filter.
In the input statement, list the name of one firewall filter to be evaluated when packets are received on the interface.
In the output statement, list the name of one firewall filter to be evaluated when packets are transmitted on the interface.
Create a filter that contains an interface group:
- [edit firewall]
- family inet {
-
- filter if-group {
-
- term group1 {
-
- from {
- interface-group 1;
-
- address {
- 192.168.80.114/32;
- }
- protocol tcp;
- port finger;
- }
-
- then {
- count if-group-counter1;
- log;
- reject;
- }
- }
-
- term group-2 {
-
- then {
- count if-group-counter2;
- log;
- accept;
- }
- }
- }
- }
Assign one or more interfaces to the interface group referenced in the filter:
- [edit interfaces]
- fxp0 {
-
- unit 0 {
-
- family inet {
-
- filter {
- group 1;
- }
- address 192.168.5.38/24;
- }
- }
- }
Apply the filter that contains an interface group:
- [edit interfaces]
- lo0 {
-
- unit 0 {
-
- family inet {
-
- filter {
- input if-group;
- group 1;
- }
- address 10.0.0.1/32;
- address 192.168.77.1/32;
- }
- }
- }
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |