Firewall Filter Components
A firewall filter consists of a protocol family and one or more terms that specify the filtering criteria and the action to take if a match occurs. After you define a firewall filter, you apply it to specific interfaces. Because the firewall filter process consists of two aspects—creating filters and then applying them—you can reuse the same filters on your router. Also, when you need to update the firewall filter itself, you have to make the change only in one place.
Protocol Family
When writing a firewall filter, you start by selecting the protocol family for which you want to specify filtering criteria. Firewall filters support the following protocol families:
- IPv4 (inet)
- IPv6 (inet6)
- MPLS (mpls)
- VPLS (vpls)
- Circuit cross-connects (ccc)
- (MX Series Ethernet Services routers only) Bridge (bridge)
- Protocol-independent (any)
Terms
Firewall filters require that you use terms. Each term can include both match criteria and actions.
The order in which you configure firewall filter terms is important. Terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the insert command to reorder the terms of a firewall filter.
By default, each firewall filter ends with an implicit deny-all term. The final default action is to discard all packets. Packets that do not match any of the configured match conditions in a firewall filter are silently discarded.
If a packet arrives on an interface and a firewall filter is not configured for the incoming traffic on that interface, the packet is accepted by default.
Match Conditions
Match conditions are the fields or values that the packet must contain. You can define various match conditions, including the IP source address field, IP destination address field, TCP or User Datagram Protocol UDP source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet type, IP options, TCP flags, incoming logical or physical interface, and outgoing logical or physical interface.
Actions
Within a single term, all the match conditions configured must match the packet before the configured action is taken on the packet. For a single match condition configured with multiple values, such as a range of values, only one of the values must match the packet before the match occurs and the configured action is taken on the packet.
Actions fall into the following categories:
- Terminating—A terminating action halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are examined.
- Nonterminating
- Actions—Nonterminating actions are used to perform other functions on a packet, such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality.
- Next Term—The action next term enables the router to perform configured actions on the packet and then evaluate the following term in the filter, rather than terminating the filter. If the next term action is included, the matching packet is then evaluated against the next term in the firewall filter; otherwise, the matching packet is not evaluated against subsequent terms in the firewall filter. For example, when you configure a term with the action modifier count, the term’s action changes from an implicit discard to an implicit accept. The next term action forces the continued evaluation of the firewall filter.
Terminating and nonterminating actions that are configured within a single term are all taken on traffic that matches the conditions configured.
Application Points
After you define the firewall filter, you must apply it to an application point. These application points include logical interfaces, physical interfaces, routing interfaces, and routing instances. In most cases, you can apply a firewall filter as an input filter or an output filter, or both at the same time. Input filters take action on packets being received on the specified interface, whereas output filters take action on packets that are transmitted through the specified interface. You typically apply one filter with multiple terms to a single logical interface, to incoming traffic, outbound traffic, or both. However, there are times when you might want to chain multiple firewall filters (with single or multiple terms) together and apply them to an interface. You use an input list to apply multiple firewall filters to the incoming traffic on an interface. You use an output list to apply multiple firewall filters to the outbound traffic on an interface. You can include up to 16 filters in an input or an output list.
See Table 1 for a detailed description of each supported application point, the types of firewall filters supported by each application point, and any limitations.
Table 1: Firewall Filter Application Points
Application Point | Filter Type | Supported Hierarchy | Comments |
|---|---|---|---|
Physical interface—Filter affects packets for all logical interfaces configured on the physical interface. | Hierarchical policer you define at the [edit firewall hierarchical-policer hierarchical-policer-name] hierarchy level. | [edit interfaces interface-name layer2-policer input- | Supported only on Gigabit Ethernet intelligent queuing (IQ2) PICs on the M120, M320 and T Series routers and on Enhanced Queuing Dense Port Concentrators (EQ DPC) on MX Series routers. |
Logical interface—Filter affects all protocol families configured on the logical interface. | Firewall filter you define for the protocol family any at the [edit firewall] hierarchy level. |
| Supported only on M320 and T Series routers, on M7i and M10i routers with the enhanced CFEB (CFEB-e) and on 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers. |
Logical interface—Filter applied affects all protocol families configured on the logical interface. | Layer 2 policer you define at:
|
| MX Series routers do not support layer 2 policers applied to a logical interface. On MX Series routers, layer 2 policers an only be applied as hierarchical policers. |
Logical interface—Filter applied affects all protocol families configured on the logical interface. | Hierarchical policer you define at the [edit firewall hierarchical-policer hierarchical-policer-name] hierarchy level. | [edit interfaces interface-name unit unit-number layer2-policer input- | Supported only on Gigabit Ethernet intelligent queuing (IQ2) PICs on the M120, M320 and T Series routers. |
Protocol family on interface—Filter is applied to a specific protocol family on the logical interface. | Standard firewall filter you define for any of the following protocol families at the [edit firewall family family-name filter filter-name] hierarchy level: any, bridge, ccc, inet, inet6, mpls, and vpls |
| The protocol family bridge is supported only on MX Series routers. |
Protocol family on interface—Filter is applied to a specific protocol family on the logical interface. | Simple filter you define at the [edit firewall family inet simple-filter filter-name] hierarchy level. | [edit interfaces interface-name unit unit-number family inet simple-filter input filter-name] | Supported for protocol family inet only on Gigabit Ethernet intelligent queuing (IQ2) PICs on the M120, M320, and T Series routers and on Enhanced Queueing Dense Port Concentrators (EQ DPC) on MX Series routers. |
Protocol family on interface—Filter is applied to a specific protocol family on the logical interface. | Policer applied to incoming or outbound traffic that you define at the [edit firewall policer policer-name] hierarchy level. |
The following protocol families are supported: bridge, ccc, inet, inet6, mpls, tcc, and vpls. | The protocol family bridge is supported only on MX Series routers. |
Protocol family on interface—Filter is applied to a specific protocol family on the logical interface. | Address resolution protocol (ARP) policer you define at the [edit firewall policer hierarchy level. | [edit interfaces interface-name unit unit-number family inet policer arp policer-name] Only the protocol family inet is supported. | Define and apply an ARP policer to override the ARP policer that is installed by default. The default ARP policer is shared by all interfaces configured on the router. An ARP policer you define can be applied to one or more specific interfaces only. ARP policers are supported on Ethernet, Gigabit Ethernet, and aggregated Ethernet interfaces, routing interfaces, and logical tunnel interfaces. For logical tunnel interfaces, only Ethernet and virtual LAN (VLAN) encapsulation is supported. |
Protocol family on interface—Filter is applied to a specific protocol family on the logical interface. | Service filter applied as an output or input filter to a service set that you define at the [edit firewall family family-name service-filter filter-name] hierarchy level. Only the protocol families inet and inet6 are supported. |
| Supported only on Adaptive Services (AS) and Multiservices (MS) PICs. |
Protocol family on interface—Filter is applied to a specific protocol family on the logical interface. | Postservice filter you define at the [edit firewall family family-name service-filter filter-name] hierarchy level. Only the protocol families inet and inet6 are supported. | [edit interfaces interface-name unit unit-number family (inet | inet6) service input post-service-filter filter-name] | A postservice filter is applied to traffic returning to the services interface after service processing. The filter is applied only if a service set is configured and selected. |
Protocol family on interface—Filter is applied to a specific protocol family on the logical interface. | Reverse packet forwarding (RPF) check filter you define at the [edit firewall family family-name filter filter-name] Only the protocol families inet and inet6 are supported. | [edit interfaces interface-name unit unit-number family (inet | inet6) rpf-check fail-filter filter-name] | Supported on MX Series routers only. |
Routing instance—Filter is applied to a forwarding table, each of which is associated with a routing instance and virtual private network (VPN). You can also apply a forwarding table filter to the default routing instance. | Filter you define at the [edit firewall family (inet | inet6 | mpls) firewall filter-name] hierarchy level. |
| An input forwarding table filter is applied before the forwarding table lookup occurs. An output forwarding table filter is applied after the forwarding table lookup occurs. |
Routing instance—Filter is applied to a forwarding table, each of which is associated with a bridge domain in a routing instance. You can also apply a forwarding table filter a bridge domain in the default routing instance. | Filter you define at the [edit firewall family bridge filter filter-name] hierarchy level. |
| Forwarding table filters for Layer 2 bridging traffic are supported only on MX Series routers and can be applied only as input filters. |
Forwarding equivalence class (FEC) LDPs—Police ingress and transit traffic. | Filter you define at the [edit firewall family any filter filter-name] hierarchy level. |
| For more detailed information about configuring policers for FEC LDPs, see the Junos MPLS Applications Configuration Guide. |
MPLS LSPs—Police LSP traffic. | Filter you define at the [edit firewall family any filter filter-name] hierarchy level. | [edit protocols mpls label-switched-path lsp-name policing filter-name] | For more detailed information about configuring MPLS LSP filters, see the Junos MPLS Applications Guide. |
