How to Specify Firewall Filter Match Conditions
Because firewall filter match conditions can match a variety of criteria, including packet fields and IP addresses, you can specify the following types of values in a single match condition:
- Numeric value or range of values
- Single text value or multiple text values
- Multiple numeric and text values
- Single prefix value or multiple prefix values
- Single bit-field value
- Multiple bit-field values using logical operators
This topic covers:
Numeric and Text Values in Match Conditions
Numerous match conditions can be configured with numeric or text values or a combination of the two.
Numeric Values
You can specify numeric values in one of the following ways:
- Single number. A match occurs if the value of the field
matches the number. For example:source-port 25;
- Range of numbers. A match occurs if the value of the field
falls within the specified range. The following example matches source
ports 1024 through 65,535, inclusive:source-port 1024-65535;
Text Values
You can specify a text value as a synonym for a numeric value. A match occurs if the value of the field matches the number that corresponds to the synonym. For example:
A match occurs if the value of the field is 25 because that numeric value corresponds to the text synonym smtp.
Multiple Numeric and Text Values
To specify multiple values in a single match condition, group the values within square brackets following the keyword. A match occurs if the value of the field matches the number that corresponds to either of the text synonyms or any of the configured numerical values. For example:
A match occurs if the value of the field in a packet matches any of the following values: 20 (since it corresponds to the text synonym ftp-data; 25 since it matches the text synonym smtp); or any value from 1024 through 65535.
Prefixes in Match Conditions
Address filter conditions match prefix values in a packet, such as IP source and destination prefixes. For address filter match conditions, you specify a keyword, such as destination-address or destination-prefix, that identifies the field and one or more prefixes of that type that a packet must match.
You can specify the address in one of the following ways:
- Single prefix—A match
occurs if the value of the field matches the prefix. For example:[edit firewall family family-name filter filter-name term term-name from]destination-address 10.0.0.0/8;
In this example, a match occurs if a destination address matches the prefix 10.0.0.0/8
- Multiple prefixes—A match
occurs if any one of the prefixes in the list matches the packet.
For example:[edit firewall family family-name filter filter-name term term-name from]destination-address {10.0.0.0/8;192.168.0.0/32;}
In this example, a match occurs if a destination address matches either the 10.0.0.0/8 or the 192.168.0.0/32 prefix.
To exclude a prefix, specify the string except after the prefix. In the following example, any addresses that fall under the 192.168.10.0/8 prefix match, except for addresses that fall under 192.168.0.0/16. All other addresses implicitly do not match this condition.
[edit firewall family family-name filter filter-name term term-name from]destination-address {192.168.0.0/16 except;192.168.10.0/8;}To match all destinations except one, in this example 10.1.1.0/24, configure the match conditions as follows:
[edit firewall family family-name filter filter-name term term-name from]destination-address {0.0.0.0/0;10.1.1.0/24 except;}
To configure match conditions that include both the source and destination prefixes for the vpls protocol family, specify the ip-address keyword (instead of source-ip-address or destination-ip-address). If either source-ip-address or destination-ip-address falls within the address range, then it is a match. If you configure an except string, it must match both source-ip-address and destination-ip-address before the exception applies.
You can also configure match conditions that include both source and destination addresses for the inet or inet6 families. Specify the address keyword (instead of source-address or destination-address). If either source-address or destination-address falls within the address range, then it is a match. If you configure an except string, it must match both source-address and destination-address before the exception applies.
In the following example for the vpls family, the ip-address prefix is configured with an except string:
In this example, if source-ip-address falls within the exception range of 55.0.1.0/255.0.255.0 except, but destination-ip-address matches 55.0.0.0/8, the packet is considered a match.
To specify the address prefix, use the notation prefix/prefix-length. If you do not specify prefix-length, it defaults to /32, as shown in this example:
You can also specify a netmask value rather than a prefix length, for example:
Noncontiguous Address Prefixes
You can specify noncontiguous address prefixes in a filter term for firewall filters. Noncontiguous address prefixes are prefixes that are not adjacent or neighboring to one another. For example, in the following example, the following prefixes are noncontiguous: 0.0.0.10/0.0.0.255, 0.10.0.10/0.255.0.255, and 0.12.10.9/0.255.255.255:
 | Note: Noncontiguous address prefixes are valid only for IPv4 filters. IPv6 filters do not support noncontiguous address prefixes. |
The prefix notation shown matches any address with a first and last octet of 10. The address and netmask are separated by a forward slash (/). The second and third bytes of the prefix can be any value from 0 through 255.
Prefix Order
The order in which you list prefixes in the list is not significant. They are all evaluated to determine whether a match occurs. If prefixes overlap, longest-match rules are used to determine whether a match occurs. Each list of prefixes contains an implicit 0/0 except statement, which means that any prefix that does not match any prefix in the list is explicitly considered not to match.
Because the prefixes are order-independent and use longest-match rules, longer prefixes subsume shorter ones as long as they are the same type (whether you specify except or not). This is because anything that would match the longer prefix would also match the shorter one. Consider the following example:
- 172.16.1.2 matches the 172.16.0.0/10 prefix, and thus the action in the then statement is taken.
- 172.16.2.2 matches the 172.16.2.0/16 prefix. Because this prefix is negated (that is, marked as except), an explicit mismatch occurs. The next term in the filter is evaluated, if there is one. If there are no more terms, the packet is discarded.
- 10.1.2.3 does not match any of the prefixes included in the source-address condition. Instead, it matches the implicit 0.0.0.0/0 except at the end of the list, and is considered to be a mismatch.
- The 172.16.3.0/16 statement is ignored because it falls under the address 172.16.0.0/10—both are the same type.
- The 10.2.2.2 except statement is ignored because it is subsumed by the implicit 0.0.0.0/0 except statement at the end of the list.
 | Best Practice: When a firewall filter term includes the from address address match condition and a subsequent term includes the from source-address address match condition for the same address, packets may be processed by the latter term before they are evaluated by any intervening terms. Therefore, packets that should be rejected by the intervening terms may be accepted, or packets that should be accepted may be rejected. To prevent this from occurring, we recommend that you do the following. For every firewall filter term that contains the from address address match condition, replace that term with two separate terms: one that contains the from source-address address match condition, and another that contains the from destination-address address match condition. |
Prefix Lists
You can also define a list of IP address prefixes under a prefix-list alias for frequent reference. You make this definition at the [edit policy-options] hierarchy level:
After you have defined a prefix list, you can use it when defining firewall filters:
Bit-Field Values in Match Conditions
Bit-field filter conditions match packet fields if particular bits in those fields are or are not set.
The following conditions match on bit-field values:
- first-fragment
- fragment-flags
- is-fragment
- tcp-established
- tcp-flags
- tcp-initial
| Note: The Junos OS does not automatically check the first fragment bit when matching TCP flags. For IPv4 traffic only, to include the first fragment bit, include the fragment-offset match condition. This condition is not supported for any other protocol family. |
Single Bit-Field Value
To specify the bit-field value to match, enclose the value in quotation marks (“ ”). For example, a match occurs if the RST bit in the TCP flags field is set:
Generally, you specify the bits being tested using text synonyms. Bit-field match text values always map to a single bit value. You also can specify bit fields as hexadecimal or decimal numbers.
To negate a match, precede the value with an exclamation point. For example, a match occurs only if the RST bit in the TCP flags field is not set:
Multiple Bit-Field Values
To match multiple bit-field values, use the logical operators list in Table 1. The operators are listed in order, from highest precedence to lowest precedence. Operations are left-associative.
Table 1: Bit-Field Logical Operators
Logical Operator | Description |
|---|---|
(...) | Grouping |
! | Negation |
& or + | Logical AND |
| or , | Logical OR |
As an example of a logical AND operation, in the following, a match occurs if the packet is the initial packet on a TCP session:
In this example, a match occurs if the SYN flag is set. This flag is set only in the initial packet sent on a TCP session. A match does not occur if the ACK flag is set. The ACK flag is set in all packets sent after the initial packet.
As an example of a logical OR operation, in the following, a match occurs if the packet is not the initial packet on a TCP session:
In this example, a match occurs either if the SYN flag is not set or if the ACK flag is set. Because the SYN flag is set only in the initial packet sent on a TCP session and the ACK flag is set in all packets sent after the initial packet, a match occurs if the packet is not the initial packet.
As an example of grouping, in the following, a match occurs for any packet that is either a TCP reset or is not the initial packet in the session:
In this example, a match occurs if the SYN flag is not set and the ACK field is set or if the RST field is set. Because the SYN flag is set only in the initial packet sent on a TCP session and the ACK flag is set in all packets sent after the initial packet, a match occurs if the packet is not the initial packet. A match also occurs if the packet has the TCP reset flag set.
When you specify a numeric value that has more than one bit set, the value is treated as a logical AND of the set bits. For example, the following two values are the same and a match occurs only if either bit 0x01 or 0x02 is not set:
You can use text synonyms to specify some common bit-field matches. You specify these matches as a single keyword. For example:
The tcp-established condition matches on TCP packets other than the first packet of a connection. This condition is a synonym for “(ack | rst)”.
