Firewall filters allow you to filter packets based on their components and to perform an action on packets that match the filter.
 |
Note: The JUNOS software provides a policy framework, which is a collection of JUNOS policies that include routing policies and firewall filter policies. These policies share some fundamental similarities. (For information about the similarities and differences among these policies, see Policy Framework Overview.) However, when you refer to a firewall filter policy in the firewall filters part of the manual, the term firewall filter is used. |
Depending on the hardware configuration of the routing platform, you can use firewall filters for the following purposes:
With the Internet Processor II ASIC, you can use filters on data packets passing through the routing platform to provide protocol-based firewalls, thwart denial-of-service (DoS) attacks, prevent falsifying of source addresses, create access control lists, and implement rate limiting (policing). (Use the show chassis hardware command to determine whether a routing platform has an Internet Processor or an Internet Processor II ASIC.)
You can use the filters to restrict the local packets that pass from the routing platform's physical interfaces to the Routing Engine. Such filters are useful in protecting the IP services that run on the Routing Engine, such as telnet, Secure Shell (ssh), and the Border Gateway Protocol (BGP), from denial-of-service attacks. You can define input filters, which affect only inbound traffic destined for the Routing Engine, and output filters, which affect only outbound traffic sent from the Routing Engine. You can also use policing, or rate limiting, to provide a finer level of control over local packets destined for the Routing Engine.
|
Note: In the remainder of the firewall filters part of this manual, the term packets refers to both data and local packets unless explicitly stated otherwise. |
You can apply firewall filters to packets entering or leaving the routing platform on one, more than one, or all interfaces. For each interface, you can apply a firewall filter to incoming or outgoing traffic, or both, and the same filter can be used for both.
You can define firewall filters that apply to IP version 4 (IPv4), IP version 6 (IPv6), or Multiprotocol Label Switching (MPLS) traffic.
There is no limit to the number of filters and counters you can set, but there are some practical considerations. More counters require more terms, and a large number of terms can take a long time to process during a commit. However, filters with more than 1000 terms and counters have been implemented successfully.
This chapter describes the following topics:
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |