How Firewall Filters Test a Packet’s Protocol

If you specify a port match condition or a match of the ICMP type or TCP flags field, there is no implied protocol match. If you use one of the following match conditions in a term, you should explicitly specify the protocol in the same term:

• destination-port—For IPv4, specify the match protocol tcp or protocol udp in the same term. For IPv6, specify the match next-header tcp or next-header udp in the same term.
• icmp-code—Specify the match protocol icmp in the same term.
• icmp-type—Specify the match protocol icmp in the same term.
• port—Specify the match protocol tcp or protocol udp in the same term.
• source-port—Specify the match protocol tcp or protocol udp in the same term.
• tcp-flags—Specify the match protocol tcp in the same term.

When examining match conditions, the policy framework software tests only the specified field itself. The software does not also test the IP header to determine that the packet is indeed an IP packet.

If you do not explicitly specify the protocol, when using the fields listed previously, design your filters carefully to ensure that they are performing the expected matches. If you specify a match of destination-port ssh, the policy framework software deterministically matches any packets that have a value of 22 in the 2-byte field that is 2 bytes beyond the end of the IP header, without ever checking the IP protocol field.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.