Overview of Protocol Match Conditions
In a standard firewall filter, if you specify a port match condition or a match of the ICMP type, ICMP code, or TCP flags field or the TCP establish or TCP initial match conditions, there is no implied protocol match. If you use one of the following match conditions in a term, you should also explicitly specify the protocol as a match condition in the same term:
- destination-port—For IPv4, specify the match protocol tcp or protocol udp in the same term. For IPv6, specify the match next-header tcp or next-header udp in the same term.
- icmp-code—For IPv4, specify the match protocol icmp in the same term. For IPv6, specify the match next-header icmp or next-header icmp6 in the same term.
- icmp-type—For IPv4, specify the match protocol icmp in the same term. For IPv6, specify the match next-header icmp or next-header icmp6 in the same term
- port—For IPv4, specify the match protocol tcp or protocol udp in the same term. For IPv6, specify the match next-header tcp or next-header udp in the same term.
- source-port—For IPv4, specify the match protocol tcp or protocol udp in the same term. For IPv6, specify the match next-header tcp or next-header udp in the same term.
- tcp-established—For IPv4, specify the match protocol tcp in the same term. For IPv6, specify the match next-header tcp in the same term.
- tcp-flags—For IPv4, specify the match protocol tcp in the same term. For IPv6, specify the match next-header tcp in the same term.
- tcp-initial—For IPv4, specify the match protocol tcp in the same term. For IPv6, specify the match next-header tcp in the same term.
When examining match conditions, the Junos OS tests only the specified field itself. The software does not also test the IP header to determine that the packet is indeed an IP packet.
If you do not explicitly specify the protocol, when using the fields listed previously, design your filters carefully to ensure that they are performing the expected matches. For example, if you specify a match of destination-port ssh, the Junos OS deterministically matches any packets that have a value of 22 in the 2-byte field that is 2 bytes beyond the end of the IP header, without ever checking the IP protocol field.
