[Contents] [Prev] [Next] [Index] [Report an Error]

Complete [edit firewall] Hierarchy

firewall {
family (any | bridge | ccc | inet | inet6 | mpls | vpls) {
... family-configuration...
}
filter filter-name {
accounting-profile [ profile-names ];
interface-specific;
term term-name {
filter filter-name;
from {
... statements listed in Common IP Firewall Match Conditions AND ...
... statements listed in Common IPv4 Firewall Match Conditions ...
}
then {
... statements listed in Common Firewall Actions AND ...
... statements listed in Common IP Firewall Actions AND ...
... statements listed in Common IPv4 Firewall Actions PLUS the following statement...
service-filter-hit;
}
}
}
hierarchical-policer policer-name {
aggregate {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
discard;
forwarding-class class-name;
loss-priority (high | low);
}
}
premium {
if-exceeding {
bandwidth-limit bps;
burst-size-limit bytes;
}
then {
discard;
forwarding-class class-name;
loss-priority (high | low);
}
}
}
interface-set interface-set-name {
interface-name;
}
load-balance-group group-name {
next-hop-group [ group-names ];
}
policer policer-name {
filter-specific;
if-exceeding {
bandwidth-limit bps;
bandwidth-percent number;
burst-size-limit bytes;
}
logical-bandwidth-policer;
logical-interface-policer;
then {
discard;
forwarding-class class-name;
loss-priority (high | low);
}
}
three-color-policer policer-name {
action {
loss-priority high then discard;
}
logical-interface-policer;
single-rate {
(color-aware | color-blind);
committed-burst-size bytes;
committed-information-rate bps;
excess-burst-size bytes;
}
two-rate {
(color-aware | color-blind);
committed-burst-size bytes;
committed-information-rate bps;
peak-burst-size bytes;
peak-information-rate bps;
}
}
family any {
filter filter-name {
term term-name {
from {
(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);
interface interface-name;
interface-set set-name;
(loss-priority [ priorities ] | loss-priority-except [ priorities ]);
(packet-length [ values ] | packet-length-except [ values ]);
}
then {
... statements listed in Common Firewall Actions PLUS the following statement ...
(accept | discard);
}
}
}
}
family bridge {
filter filter-name {
accounting-profile [ profile-names ];
interface-specific;
term term-name {
filter filter-name;
from {
... statements listed in Common Layer 2 Firewall Match Conditions ...
}
then {
... statements listed in Common Firewall Actions PLUS the following statements ...
(accept | discard);
port-mirror;
}
}
}
}
family ccc {
filter filter-name {
accounting-profile [ profile-names ];
interface-specific;
term term-name {
filter filter-name;
from {
(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);
(interface-group [ group-names ] | interface-group-except [ group-names ]);
(loss-priority [ priorities ] | loss-priority-except [ priorities ]);
}
then {
... statements listed in Common Firewall Actions PLUS the following statement ...
(accept | discard);
}
}
}
}
family inet {
... family-inet-configuration ...
}
family inet6 {
filter filter-name {
accounting-profile [ profile-names ];
interface-specific;
term term-name {
filter filter-name;
from {
... statements listed in Common IP Firewall Match Conditions PLUS the following statements ...
(next-header [ protocol-types ] | next-header-except [ protocol-types ]);
(traffic-class [ code-point-values ] | traffic-class-except [ code-point-values ]);
}
then {
... statements listed in Common Firewall Actions AND ...
... statements listed in Common IP Firewall Actions PLUS the following statement ...
(accept | discard | reject <(address-unreachable | administratively-prohibited | beyond-scope | fragmentation-needed | no-route | port-unreachable | tcp-reset)>;
}
}
}
service-filter filter-name {
term term-name {
from {
address ip-prefix</prefix-length>;
(ah-spi [ values ] | ah-spi-except [ values ]);
destination-address ip-prefix</prefix-length>;
(destination-port [ port-names ] | destination-port-except [ port-names ]);
destination-prefix-list list-name;
(esp-spi [ values ] | esp-spi-except [ values ]);
(interface-group [ group-names ] | interface-group-except [ group-names ]);
(next-header [ protocol-types ] | next-header-except [ protocol-types ]);
(port [ port-names ] | port-except [ port-names ]);
prefix-list list-name;
source-address ip-prefix</prefix-length>;
(source-port [ port-names ] | source-port-except [ port-names ]);
source-prefix-list list-name;
}
then {
count counter-name;
log;
port-mirror;
sample;
(service | skip);
}
}
}
}
family mpls {
filter filter-name {
accounting-profile [ profile-names ];
interface-specific;
term term-name {
filter filter-name;
from {
(exp [ exp-bits ] | exp-except [ exp-bits ]);
(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);
interface interface-name;
interface-set set-name;
(loss-priority [ priorities ] | loss-priority-except [ priorities ]);
}
then {
... statements listed in Common Firewall Actions PLUS the following statements ...
(accept | discard);
sample;
}
}
}
}
family vpls {
filter filter-name {
accounting-profile [ profile-names ];
interface-specific;
term term-name {
filter filter-name;
from {
... statements listed in Common Layer 2 Firewall Match Conditions ...
}
then {
... statements listed in Common Firewall Actions PLUS the following statements ...
(accept | discard);
port-mirror;
}
}
}
}
family inet {
dialer-filter filter-name {
accounting-profile [ profile-names ];
term term-name {
from {
... statements listed in Common IP Firewall Match Conditions AND ...
... statements listed in Common IPv4 Firewall Match Conditions EXCEPT FOR the following statements ...
(ah-spi [ values ] | ah-spi-except [ values ]);    # NOT valid at this hierarchy level
(destination-class [ class-names ] | destination-class-except [ class-names ]);;    # NOT valid at this hierarchy level
interface interface-name;    # NOT valid at this hierarchy level
(loss-priority [ priorities ] | loss-priority-except [ priorities ]);    # NOT valid at this hierarchy level
(source-class [ class-names ] | source-class-except [ class-names ]);    # NOT valid at this hierarchy level
}
then {
(ignore | note);
log;
sample;
syslog;
}
}
}
filter filter-name {
accounting-profile [ profile-names ];
interface-specific;
term term-name {
filter filter-name;
from {
... statements listed in Common IP Firewall Match Conditions AND ...
... statements listed in Common IPv4 Firewall Match Conditions ...
}
then {
... statements listed in Common Firewall Actions AND ...
... statements listed in Common IP Firewall Actions AND ...
... statements listed in Common IPv4 Firewall Actions ...
}
}
}
prefix-action name {
count;
destination-prefix-length prefix-length;
filter-specific;
policer policer-name;
source-prefix-length prefix-length;
subnet-prefix-length prefix-length;
}
service-filter filter-name {
term term-name {
from {
address ip-prefix</prefix-length>;
(ah-spi [ values ] | ah-spi-except [ values ]);
destination-address ip-prefix</prefix-length>;
(destination-port [ port-names ] | destination-port-except [ port-names ]);
destination-prefix-list list-name;
(esp-spi [ values ] | esp-spi-except [ values ]);
first-fragment;
fragment-flags flag;
(fragment-offset [ offsets ] | fragment-offset-except [ offsets ]);
(interface-group [ group-names ] | interface-group-except [ group-names ]);
(ip-options [ option-names ] | ip-options-except [ option-names ]);
is-fragment;
(loss-priority [ priorities ] | loss-priority-except [ priorities ]);
(port [ port-names ] | port-except [ port-names ]);
prefix-list list-name;
(protocol [ protocol-names ] | protocol-except [ protocol-names ]);
source-address ip-prefix</prefix-length>;
(source-port [ port-names ] | source-port-except [ port-names ]);
source-prefix-list list-name;
}
then {
count counter-name;
log;
port-mirror;
sample;
(service | skip);
}
}
}
simple-filter filter-name {
interface-specific;
term term-name {
from {
destination-address ip-prefix</prefix-length>;
destination-port port-name;
forwarding-class [ class-names ];
protocol protocol-name;
source-address ip-prefix</prefix-length>;
source-port port-name;
}
then {
forwarding-class class-name;
loss-priority (high | low | medium-high | medium-low);
policer policer-name;
}
}
}
}
}
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.