Configuring IPv4 Match Conditions
Table 1 describes the firewall filter match conditions that are supported for IPv4 traffic.
To configure firewall filter match conditions for IPv4 traffic:
- Include the match-conditions statement at the [edit firewall family family-name filter filter-name term term-name from]
Table 1: IPv4 Firewall Filter Match Conditions
Match Condition | Description |
|---|---|
keyword-except | Negate a match. For example, destination-port-except number. |
ah-spi spi-value | IPsec authentication header (AH) security parameter index (SPI) value. Match on this specific SPI value. |
ah-spi-except spi-value | IPsec AH SPI value. Do not match on this specific SPI value. |
destination-address address | Destination prefix. |
destination-class class-name | One or more destination classes |
destination-mac-address address | Destination media access control (MAC) address of a VPLS packet. |
destination-port number | TCP or User Datagram Protocol (UDP) destination port field. You cannot specify both the port and destination-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177). |
destination-prefix-list name | Destination prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. |
dscp number | Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the Junos Class of Service Configuration Guide. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
ether-type value | Ethernet type field of a VPLS packet. |
ether-type-except value | Do not match on the Ethernet type field of a VPLS packet. |
esp-spi spi-value | IPsec encapsulating security payload (ESP) SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form. |
esp-spi-except spi-value | IPsec ESP SPI value. Do not match on this specific SPI value. |
first-fragment | First fragment of a fragmented packet. This condition does not match unfragmented packets. |
forwarding-class class | Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. |
forwarding-class-except class | Do not match on the forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. |
fragment-flags number | IP fragmentation flags. In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4000), more-fragments (0x2000), or reserved (0x8000). |
fragment-offset number | Fragment offset field. |
icmp-code number | ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For more information, see Overview of Protocol Match Conditions. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
icmp-type number | ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3). |
interface interface-name | Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received. |
interface-group group-number | Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For group-number, specify a value from 0 through 255. For information about configuring interface groups, see Applying Firewall Filters to Interfaces. |
interface-set interface-set-name | (MX Series routers and routers with Enhanced IQ2 [IQ2E] PICs only) Interface set on which the packet was received. An interface set is a set of logical interfaces used to configure hierarchical class-of-service schedulers. For information about configuring an interface set, see the Junos Class of Service Configuration Guide and the Junos Network Interfaces Configuration Guide. |
ip-options values | IP optional header fields. In place of the numeric value, you must specify one of the following text synonyms: any, loose-source-route, route-record, router-alert, security, stream-id, strict-source-route, or timestamp. Do not use a numerical value for any of the IP optional header fields. Use only the text values. Note: For most interfaces, packets that match any of values for the ip-options match condition—except for the any option—are sent to the Routing Engine for processing. Use the ip-options option any to ensure that packets are sent to the Packet Forwarding Engine for processing. Interfaces configured on the 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers do send all packets that match any of the supported ip-options match conditions to the Packet Forwarding Engine. |
is-fragment | This condition matches if the packet is a trailing fragment; it does not match the first fragment of a fragmented packet. To match both first and trailing fragments, you can use two terms. |
loss-priority level | Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. Supported on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced CFEB (CFEB-E). On M320 routers, you must enable the tricolor statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tricolor statement is not referenced, you can only configure the high and low levels. This applies to all protocol families. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Junos Class of Service Configuration Guide. |
loss-priority-except level | Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Junos Class of Service Configuration Guide. |
packet-length bytes | Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. |
port number | TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions. In place of the numeric value, you can specify one of the text synonyms listed under destination-port. |
precedence ip-precedence-field | IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form. |
prefix-list name | Destination or source prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. |
protocol number | IP protocol field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17). |
service-filter-hit | This condition matches if the packet is received from a filter where a service-filter-hit action was applied. |
source-class class-name | One or more source-class names. |
source-port number | TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions. In place of the numeric field, you can specify one of the text synonyms listed under destination-port. |
source-prefix-list name | Source prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. |
tcp-established | TCP packets other than the first packet of a connection. This is a synonym for "(ack | rst)". This condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition. |
tcp-flags number | TCP flags. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more details, see Overview of Protocol Match Conditions. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ack (0x10), fin (0x01), push (0x08), rst (0x04), syn (0x02), or urgent (0x20). |
tcp-initial | First TCP packet of a connection. This is a synonym for "(syn & !ack)". This condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition. |
ttl number | IPv4 time-to-live number. Specify a TTL value or a range
of TTL values. For number, you can specify
one or more values from 0 through 255.
This match condition is supported only on M120, M320, |
ttl-except number | Do not match on the IPv4 TTL number. Specify a TTL value or a range of values. For number, you can specify one or more values from 0 through 255. This match condition is supported only on M120, M320, MX Series, and T Series routers. |
vlan-ether-type value | Virtual local area network (VLAN) Ethernet type field of a VPLS packet. |
vlan-ether-type-except value | Do not match on the VLAN Ethernet type field of a VPLS packet. |
