Configuring Actions in Firewall Filter Terms
In the then statement in a firewall filter term, you specify the actions to perform on packets whose characteristics match the conditions specified in the preceding from statement. To configure a filter action, include the then statement at the [edit firewall family family-name filter filter-name term term-name] hierarchy level:
 | Best Practice: We strongly recommend that you always explicitly configure an action in the then statement. If you do not, or if you omit the then statement entirely, packets that match the conditions in the from statement are accepted. |
You can specify only one filter terminating action statement (or omit it), but you can specify any combination of nonterminating actions. For the action or nonterminating action to take effect, all conditions in the from statement must match. If you specify log as one of the actions in a term, this constitutes a terminating action; whether any additional terms in the filter are processed depends on the traffic through the filter.
The nonterminating action operations carry a default accept action. For example, if you specify a nonterminating action and do not specify an action, the specified nonterminating action is implemented and the packet is accepted. To circumvent an implicit accept action and allow the Junos OS to the evaluate the following term in the filter, use the next term statement.
The following actions are terminating actions:
- accept
- discard
- reject
- logical-system logical-system-name
- routing-instance routing-instance-name
- topology topology-name
 | Note: You cannot configure the next term action with a terminating action in the same filter term. You can only configure the next term action with another nonterminating action in the same filter term. |
Policing uses a specific type of action, known as a policer action. For more information, see Configuring Policer Actions.
For more information about forwarding classes and loss priority, see the Junos Class of Service Configuration Guide.
Table 1 shows the complete list of filter actions, both terminating and nonterminating.
Table 1: Firewall Filter Actions
Action | Description |
|---|---|
accept | Accept a packet. |
count counter-name | Count the packet in the specified counter. |
dscp value | (Family inet only) Set the IPv4 Differentiated Services code point (DSCP) bit. You can specify a value from 0 through 63. The default DSCP value is best effort, that is, be or 0. You can also specify on the following text synonyms:
Note: The actions dscp 0 or dscp be are supported only on T Series and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrators (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers. However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers. |
discard | Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling. |
forwarding-class class | Classify the packet into one of the following forwarding classes: as, assured-forwarding, best-effort, expedited-forwarding, or network-control. |
ipsec-sa ipsec-sa | (Family inet only) Use the specified IPsec security association. Note: This action is not supported on MX Series routers. |
load-balance group-name | (Family inet only) Use the specified load-balancing group. |
log | (Family inet and inet6 only) Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI). |
logical-system logical-system-name | Specify a logical system to which packets are forwarded. |
loss-priority (high | medium-high | medium-low| low) | Set the loss priority level for packets. Supported on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced CFEB (CFEB-E). On M320 routers, you must enable the tricolor statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tricolor statement is not referenced, you can only configure the high and low levels. This applies to all protocol families. You cannot also configure the three-color-policer nonterminating action for the same firewall filter term. These two nonterminating actions are mutually exclusive. |
next term | Continue to the next term for evaluation. |
next-hop-group group-name | (Family inet only) Use the specified next-hop group. |
policer policer-name | Rate-limit packets based on the specified policer. |
port-mirror | (Family bridge, ccc, inet, inet6, and vpls only) Port-mirror packets based on the specified family. Supported on M120 routers, M320 routers configured with Enhanced III FPCs, and MX Series routers only. |
prefix-action name | (Family inet only) Count or police packets based on the specified action name. |
reject message-type | Discard a packet, sending an ICMPv4 or an ICMPv6 destination unreachable message. Rejected packets can be logged or sampled if you configure either the sample or the syslog action modifier. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a Transmission Control Protocol (TCP) reset is returned if the packet is a TCP packet. Otherwise, the default code of administratively-prohibited, which has a value of 13, is returned. Supported for family inet and inet6 only. |
routing-instance routing-instance | (Family inet and inet6 only) Specify a routing instance to which packets are forwarded. |
sample | (Family inet, inet6, and mpls only) Sample the packets. |
service-filter-hit | (Family inet and inet6 only) Indicate to subsequent filters in the chain that the packet was already processed. This action, coupled with the service-filter-hit match condition in receiving filters, helps to streamline filter processing. |
syslog | Log the packet to the system log file. |
three-color-policer policer-name | Apply rate limits to the traffic using the tricolor marking policer. You cannot also configure the loss-priority action modifier for the same firewall filter term. These two action modifiers are mutually exclusive. |
topology topology-name | (Family inet and inet6 only) Specify a topology to which packets are forwarded. |
traffic-class value | (Family inet6 only) Specify the traffic-class code point. You can specify a value from 0 through 63. The default traffic-class value is best effort, that is, be or 0. You can also specify on the following text synonyms:
Note: The actions traffic-class 0 or traffic-class be are supported only on T Series and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers. However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers. |
Example: Counting and Sampling Accepted Packets
Count, sample, and accept the traffic:
Display the packet counter:
user@host> show firewall filter samFilter: Counters: Name Bytes Packets sam sam-1 98 8028
Display the firewall log output:
user@host> show firewall logTime Filter A Interface Pro Source address Destination address 23:09:09 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:80 23:09:07 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:56 23:09:07 - A at-2/0/0.301 ICM 10.2.0.25 10.211.211.1:49552 23:02:27 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:56 23:02:25 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:80 23:01:22 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:23251 23:01:21 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:16557 23:01:20 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:29471 23:01:19 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:26873
This output file contains the following fields:
- Time—Time at which the packet was received (not shown in the default).
- Filter—Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level. A hyphen (-) or the abbreviation pfe indicates that the packet was handled by the Packet Forwarding Engine. A space (no hyphen) indicates that the packet was handled by the Routing Engine.
- A—Filter action:
- A—Accept (or next term)
- D—Discard
- R—Reject
- Interface—Interface on which the filter
is configured.
Note: We strongly recommend that you always explicitly configure an action in the then statement.
- Pro—Packet’s protocol name or number.
- Source address—Source IP address in the packet.
- Destination address—Destination IP address in the packet.
Display the sampling output:
user@host> show log /var/tmp/sam # Apr 7 15:48:50
Time Dest Src Dest Src Proto TOS Pkt Intf IP TCP
addr addr port port len num frag flags
Apr 7 15:48:54 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:55 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:56 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0 | Note: When you enable reverse path forwarding (RPF) on an interface with an input filter for firewall log and count, the input firewall filter does not log the packets rejected by RPF, although the rejected packets are counted. To log the rejected packets, use an RPF check fail filter. |
For more information about sampling output, see Applying Filters to Forwarding Tables.
Example: Setting the DSCP Bit to Zero
Set the DSCP bit to 0 (zero) using a firewall filter:
Apply this filter to the logical interface corresponding to the VPN routing and forwarding (VRF) instance:
