[Contents] [Prev] [Next] [Index] [Report an Error]

Specifying Numeric Range Filter Match Conditions

Numeric range filter conditions match packet fields that can be identified by a numeric value, such as port and protocol numbers. For numeric range filter match conditions, you specify a keyword that identifies the condition and a single value or a range of values that a field in a packet must match. Table 29 describes the numeric range filter match conditions for IPv4 addresses, and Table 30 describes them for IPv6 addresses.

Table 31 describes the numeric range filter match conditions for Layer 2 bridging traffic on MX-series routers. For more information about how to configure Layer 2 services on the MX-series routers, see the JUNOS Network Interfaces Configuration Guide, the JUNOS Layer 2 Configuration Guide, and the JUNOS Feature Guide.

You can specify the numeric range value in one of the following ways:

Single number. A match occurs if the value of the field matches the number. For example:source-port 25;
Range of numbers. A match occurs if the value of the field falls within the specified range. The following example matches source ports 1024 through 65,535, inclusive:source-port 1024-65535;
Text synonym for a single number. A match occurs if the value of the field matches the number that corresponds to the synonym. For example:source-port smtp;

To specify multiple values in a single match condition, group the values within square brackets following the keyword. For example:



source-port [ smtp ftp-data 25 1024-65535 ];

To exclude a numeric value, append the string -except to the match keyword. For example, the following condition would match only if the source port is not 25:



source-port-except 25;

The following condition would match only if the port number is not one of those in the list:



source-port-except [ smtp ftp-data 666 1024-65535 ];

Note: To match only on a source address, destination address, source port or destination port, include the appropriate matching condition (source-address, destination-address, source-port, or destination-port, respectively) at the [edit firewall filter filter-name term term-name from] hierarchy level instead of using the port or address matching condition at the same hierarchy level.

Table 29: Numeric Range IPv4 Firewall Filter Match Conditions

Match Condition	Description
keyword-except	Negate a match. For example, destination-port-except number.
ah-spi spi-value	IPsec authentication header (AH) security parameter index (SPI) value. Match on this specific SPI value.
ah-spi-except spi-value	IPsec AH SPI value. Do not match on this specific SPI value.
destination-address address	Destination prefix.
destination-mac-address address	Destination media access control (MAC) address of a VPLS packet.
destination-port number	TCP or User Datagram Protocol (UDP) destination port field. You cannot specify both the port and destination-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177).
destination-prefix-list name	Match on the destination prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.
dscp number	Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the JUNOS Class of Service Configuration Guide. You can specify DSCP in either hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): RFC 2598, An Expedited Forwarding PHB, defines one code point: ef (46). RFC 2597, Assured Forwarding PHB, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38)
ether-type value	Match on the Ethernet type field of a VPLS packet.
ether-type-except value	Do not match on the Ethernet type field of a VPLS packet.
esp-spi spi-value	IPsec encapsulating security payload (ESP) SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form.
esp-spi-except spi-value	IPsec ESP SPI value. Do not match on this specific SPI value.
forwarding-class class	Match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
forwarding-class-except class	Do not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
fragment-offset number	Fragment offset field.
icmp-code number	ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0), required-option-missing (1) redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-type number	ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).
interface interface-name	Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.
interface-group group-number	Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For group-number, specify a value from 0 through 255. For information about configuration interface groups, see Applying Firewall Filters to Interfaces.
loss-priority level	Match on the packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.
loss-priority-except level	Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.
packet-length bytes	Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.
port number	TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the text synonyms listed under destination-port.
precedence ip-precedence-field	IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form.
prefix-list name	Match on the destination or source prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.
protocol number	IP protocol field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17).
source-mac-address address	Source MAC address of a VPLS packet.
source-port number	TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.
source-prefix-list name	Match on the source prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.
ttl number	IPv4 TTL number to match. Specify a TTL value from 1 through 127. This match condition is supported only on M320, M120, MX-series, and T-series routing platforms.
ttl-except number	IPv4 TTL number to avoid matching. Specify a TTL value from 1 through 127. This match condition is supported only on M320, M120, MX-series, and T-series routing platforms.
vlan-ether-type value	Match on the virtual local area network (VLAN) Ethernet type field of a VPLS packet.
vlan-ether-type-except value	Do not match on the VLAN Ethernet type field of a VPLS packet.

Table 30: Numeric Range IPv6 Firewall Filter Match Conditions

Match Condition	Description
address address	128-bit address that supports the standard syntax for IPv6 addresses. For more information, see the JUNOS Routing Protocols Configuration Guide.
destination-address address	128-bit address that is the final destination node address for the packet. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373, IP Version 6 Addressing Architecture. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.
destination-port number	TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term. Normally, you specify this match in conjunction with the next-header match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104).
destination-prefix-list name	Match on the destination prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.
forwarding-class class	Match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, and network-control.
icmp-code number	ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0), required-option-missing (1) redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-type number	ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).
interface-group group-number	Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuration interface groups, see Applying Firewall Filters to Interfaces.
loss-priority level	Match on the packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.
loss-priority-except level	Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.
next-header bytes	8-bit IP protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60),egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmpv6 (1), igmp (2), ipip (4), ipv6 (41), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).
packet-length bytes	Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.
port number	TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the text synonyms listed under destination-port.
prefix-list name	Match on the source or destination prefixes in the specified list name. Specify the name of a list defined at the [edit routing-options prefix-list prefix-list-name] hierarchy level.
source-address address	Address of the source node sending the packet; 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.
source-port number	TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.
source-prefix-list name	Match on the source prefixes in the specified prefix list. Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.
traffic-class number	8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. The numerical value cannot be greater than 0x3f. This field was previously used as the ToS field in IPv4. However, the semantics of this field (for example, DSCP) are identical to IPv4.
tcp-flags flags	One or more of the following TCP flags: bit-name: fin, syn, rst, push, ack, urgent You can string multiple flags using logical operators. numerical value: 0x01 through 0x20 text synonym: tcp-established, tcp-initial Configuring the tcp-flags match condition requires that you configure the next-header tcp match condition.

Table 31: Numeric Range Layer 2 Bridging Filter Match Conditions (MX-series Only)


Match Condition	Description
destination-mac-address address	Destination media access control (MAC) address of a Layer 2 packet in a bridging environment.
destination-port number	TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term.
dscp number	Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the JUNOS Class of Service Configuration Guide. You can specify DSCP in hexadecimal, binary, or decimal form.
ether-type value	Match on the Ethernet type field of a Layer 2 packet in a bridging environment.
ether-type-except value	Do not match on the Ethernet type field of a Layer 2 packet.
forwarding class class	Match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
forwarding-class-except value	Match on the Ethernet type field of a Layer 2 packet environment. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.
icmp-code number	ICMP code field. The value or keyword provides more specific information than icmp-type. Because the value’s meaning depends on the associated icmp-type, you must specify icmp-type along with icmp-code.
icmp-type number	ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port.
interface-group group-number	Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For group-number, specify a value from 0 through 255.
interface-group-except number	Do not match on the interface group on which the packet was received.
ip-address address	32-bit address that supports the standard syntax for IPv4 addresses.
ip-destination-address address	32-bit address that is the final destination node address for the packet.
ip-precedence ip-precedence-field	IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).
ip-precedence-except	Do not match on the IP precedence field.
ip-protocol number	IP protocol field.
ip-source-address address	IP address of the source node sending the packet.
learn-vlan-1p-priority value	(For bridging and VPLS protocols only) Match on the IEEE 802.1p learned VLAN priority. Specify a single value or multiple values from 0 thorough 7.
learn-vlan-1p-priority-except value	(For bridging and VPLS protocols only) Do not match on the IEEE 802.1p learned VLAN priority. Specify a single value or multiple values from 0 thorough 7.
learn-vlan-id number	Match on the VLAN identifier used for MAC learning.
learn-vlan-id-except number	Do not match on VLAN identifier used for MAC learning.
loss-priority level	Match on the packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.
loss-priority-except level	Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.
port number	TCP or UDP source or destination port. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term.
source-mac-address address	Source MAC address of a Layer 2 packet.
source-port number	TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.
tcp-flags flags	One or more of the following TCP flags: Bit-name: fin, syn, rst, push, ack, urgent Numerical value: 0x01 through 0x20 Text synonym: tcp-established, tcp-initial You can string together multiple flags using logical operators. Configuring the tcp-flags match condition requires that you configure the next-header-tcp match condition.
traffic-type type	Match on the traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.
traffic-type-except type	Do not match on the traffic type.
user-vlan-1p-priority value	(For bridging and VPLS protocols only) Match on the IEEE 802.1p user priority. Specify a single value or multiple values from 0 thorough 7.
user-vlan-1p-priority-except value	(For bridging and VPLS protocols only) Do not match on the IEEE 802.1p user priority. Specify a single value or multiple values from 0 thorough 7.
user-vlan-id number	Match on the first VLAN identifier that is part of the payload.
user-vlan-id-except number	Do not match on the first VLAN identifier that is part of the payload.
vlan-ether-type value	Match on the VLAN Ethernet type field of a Layer 2 bridging or VPLS packet.
vlan-ether-type-except value	Do not match on the VLAN Ethernet type field of a Layer 2 bridging or VPLS packet.

[Contents] [Prev] [Next] [Index] [Report an Error]