Firewall Filter Overview
The basic purpose of a firewall filter is to enhance security through the use of packet filtering. The rules you define in a firewall filter are used to determine whether to accept, deny, or forward specific types of traffic. Firewall filters are stateless; they cannot statefully inspect traffic, that is keep track of the state of network connections.
The Junos OS firewall filters support a rich set of packet-matching criteria that you can use to match on specific traffic and perform specific actions, such as forwarding or dropping packets that match the criteria you specify. You can configure firewall filters to protect the local router or to protect another device that is either directly or indirectly connected to the local router. For example, you can use the filters to restrict the local packets that pass from the router’s physical interfaces to the Routing Engine (RE). Such filters are useful in protecting the IP services that run on the RE, such as Telnet, SSH, and BGP, from denial-of-service attacks.
 | Note: If you configured targeted broadcast for virtual routing and forwarding (VRF) by including the forward-and-send-to-re statement, any firewall filter that is configured on the RE loopback interface (lo0) cannot be applied to the targeted broadcast packets that are forwarded to the RE. This is because broadcast packets are forwarded as flood next hop and not as local next hop traffic, and you can only apply a firewall filter to local next hop routes for traffic directed towards the RE. |
You can also use firewall filters to perform multifield classification, counting, and policing. Multifield classification is used to perform specialized packet handling, including filter-based forwarding, or policy-based routing. Counting enables you to gather usage statistics. Policing is used to enforce bandwidth restrictions. Firewall filters that perform all these functions are standard firewall filters. The Junos OS also supports two additional specialized firewall filter types: simple filters and service filters.
| Note: There is no limit to the number of filters and counters you can set, but there are some practical considerations. More counters require more terms, and a large number of terms can take a long time to process during a commit operation. However, filters with more than 4000 terms and counters have been implemented successfully. |
