Overview of Firewall Filter Lists
Firewall filter lists effectively enable you to chain multiple firewall filters and apply them to a single interface. Typically, you apply a single firewall filter to an interface in the input or output direction or both. The ability to chain multiple firewall filters is useful when you have a router configured with many, even hundreds of interfaces, and you want to apply a unique filter to each interface but also apply a common set of terms to many or most of the interfaces on the router.
The most straightforward way to chain multiple firewall filter is to configure multiple, separate firewall filters. In such a scenario, you can configure multiple filters that are each unique to one interface and one or more separate filters that include the common terms that apply to many or most of the interface. You can then apply each unique filter only to the specific interface for which it is defined, along with the filter or filters that apply to many interfaces. This approach gives you the flexibility of being able to update a filter that applies only to one interface without having to update the configuration for all the other interfaces.
A second approach to chaining multiple firewall filters is to configure one or more filters within a filter, or nested firewall filter. To configure a nested firewall filter, you must first define each filter that you plan to nest by configuring it at the [edit firewall] hierarchy level. You then reference each filter you want to nest by including the filter filter-name statement at the [edit firewall filter filter-name family family-name term term-name] hierarchy level. You can then apply any combination of nested and standard firewall filters to interfaces as input lists or output lists. The advantage of this approach is that you can update any referenced firewall filter without having to update the nested firewall filter itself. Another advantage of nested firewall filters is that you can include a filter that you defined at the [edit firewall] hierarchy level in multiple nested filters.
In the following example, you configure multiple firewall filters, each of which is applied individually as part of an input list or an output list. Configuring multiple filters that include only one term enables you to update any one filter quickly without affecting any of the other filters.
To apply the filters in this example on incoming and outbound traffic, use the input-list [ filter-names] and output-list [ filter-names] statements. In the following example, a list of three input filters and a list of three output filters are applied to the ge-1/3/0 interface. The filters are processed in the order in which they are applied.
 | Note: The input-list filter-names and output-list filter-names statements for firewall filters for the ccc and mpls protocol families are supported on all interfaces except management and internal Ethernet (fxp) interfaces, loopback (lo0) interfaces, and USB modem (umd) interfaces. |
Nested firewall filters also give you the ability to apply each filter within the filter in a multiple OR order. When you specify more than one match condition within a single term, both conditions (for example, source port and source address) must be met for a packet to match. In a nested firewall filter, a packet can match either the source port as defined in one filter within a filter, or the source address, as defined in another term or filter within a filter.
In contrast, in a standard firewall filter, multiple conditions within a single term are applied in a multiple AND order. If you specify more than one match condition within a single term, both conditions (for example, source port and source address) must be met for a packet to match.
An additional advantage of nested firewall filters is that if you need to update a specific filter within a filter, you can do so without having to update the nested filter itself.
The following example shows a nested firewall filter configuration. First, you define the Filter f1 that you want to nest within a firewall filter. Then you reference Firewall Filter f1 within the nested firewall filter, named f2. When you need to update Filter f1, you can do so without having to update Filter f2. The example also includes standard Filter f3, which you also apply as part of input list. You then apply firewall Filters f2 and f3 to interface so-1/2/3 unit 0 as an input list. You do not need to apply filter f1 directly to the interface because it is referenced in Filter f2.
- Defining Filter f1[edit firewall]family inet {filter f1 {from {source-address 192.168.27.14;}then count got-one;}}
- Nesting Filter f1 in Filter f2[edit firewall]family inet {filter f2 {term 1 filter f1; # Reference filter f1 defined at the [edit firewall] hierarchy level.
# You must reference the filter within a term. Include only the name
# of the filter you want to reference.}term 2 {from {source-port 3000;}then accept;}}} - Configuring standard firewall Filter f3[edit firewall]family inet {filter f3 {term 3 {from {icmp-code 3;}then accept;}}}
- Applying Filters f2 and f3 as an input list[edit interfaces so-1/2/3]unit 0 {family inet {filter {input-list [ f2 f3 ]; # When you apply filter f2, it includes the referenced filter # f1.}}}
When you configure a list of firewall filters and apply them to an interface using either the input-list or output-list statement, the filters are concatenated into one consolidated and renamed firewall filter, and all policers and counters are also renamed. Each filter in the list is evaluated in the order in which it is applied to the interface.
The concatenated firewall filter is renamed based on the name of the interface and the direction in which the filter is applied:
- A list of firewall filters applied as input filters on interface so-1/0/0 unit 0 becomes so-1/0/0.0-i.
- A list of firewall filters applied as output filters on interface so-1/1/1 unit 0 becomes so-1/1/1.0-o.
Any counters or policers in the filter list are also renamed. The interface name and the letter o or i to indicate the direction of the filter are added to the end of the original counter name as follows:
- A counter named bad-packets in a filter applied in an output list to interface so-2/2/0 unit 0 becomes bad-packets-so-2/2/0.0-o.
- A counter named icmp-code-3 in a filter applied in an input list to interface so-3/3/0 unit 0 becomes icmp-code-3-so-3/3/0.0-i.
Understanding how firewall filter lists are displayed is important when you use the show firewall command to view information about configured firewall filters. For example, the entry for a firewall filter named c that is applied in an output list to interface at-1/0/1 unit 0 is displayed as c-at-1/0/1.0-o.
