Technical Documentation

Applying Firewall Filters to Interfaces

For a firewall filter to work, you must apply it to at least one interface. To do this, include the filter statement when configuring the logical interface at the [edit interfaces interface-name unit logical-unit-number family family-name] hierarchy level:

[edit interfaces interface-name unit logical-unit-number family family-name]filter {input filter-name;input-list [ filter-names ];output filter-name;output-list [ filter-names ];}

In the input statement, list the name of one firewall filter to be evaluated when packets are received on the interface. Input filters applied to the loopback interface, lo0, affect only inbound traffic destined for the Routing Engine.

In the output statement, list the name of one firewall filter to be evaluated when packets are transmitted on the interface. Output filters applied to the loopback interface, lo0, affect only outbound traffic sent from the Routing Engine.

Note: When you create an additional loopback interface, it is important to apply a filter to it so the Routing Engine is protected. We recommend that when you apply a filter to the loopback interface lo0, you include the apply-groups statement. Doing so ensures that the filter is automatically inherited on every loopback interface, including lo0 and other loopback interfaces. For more information, see the Junos OS CLI User Guide.

Note: On MX Series routers only, you cannot apply as an output filter, a firewall filter configured at the [edit firewall filter family ccc] hierarchy level. Firewall filters configured for the family ccc statement can be applied only as input filters on MX Series routers.

In the input-list statement, list the names of firewall filters to be evaluated when packets are received on the interface. You can specify up to 16 firewall filters for the filter input list. In the output-list statement, list the names of firewall filters to be evaluated when packets are transmitted from the interface. You can specify up to 16 firewall filters for the filter output list.

Unless you use an input filter list or an output filter list, you can apply only one input and one output firewall filter to each interface. You can use the same filter one or more times.

The input-list and output-list statements are not supported for simple filters or service filters.

Note: The input-list filter-names and output-list filter-names statements for firewall filters for the ccc and mpls protocol families are supported on all interfaces except management and internal Ethernet (fxp) interfaces, loopback (lo0) interfaces, and USB modem (umd) interfaces.

For more information about applying input lists and output lists, see Overview of Firewall Filter Lists. For more general information about configuring filters on interfaces, see the Junos Network Interfaces Configuration Guide.

When you apply a filter to an interface, it is evaluated against all the data packets passing through that interface. The exception is the loopback interface, lo0, which is the interface to the Routing Engine and carries no data packets. If you apply a filter to the lo0 interface, the filter affects the local packets received or transmitted by the Routing Engine.

Filters apply to all packets entering an interface, not just the packets destined for the Routing Engine. To filter packets destined for the Routing Engine, configure the group statement at the [edit interfaces interface-name unit logical-unit-number family family-name filter] hierarchy level. For more information, see Defining Interface Groups.

You can configure the following additional properties when applying filters to interfaces:

Configuring Interface-Specific Counters

When you configure a firewall filter that is applied to multiple interfaces, you can name individual counters specific to each interface. These counters enable you to easily maintain statistics on the traffic transiting the different interfaces. A separate instance of the interface-specific firewall filter is created for each interface to which you apply the filter.

Note: Configuration of interface-specific counters also creates separate instances of any policers and counters you have configured for the same interface.

To configure interface-specific counters, include the interface-specific statement at the [edit firewall family family-name filter filter-name] hierarchy level:

[edit firewall family filter filter-name]interface-specific;

Note: The suffixes -i (input) and -o (output) are added to the counter names automatically. The counter name is restricted to 24 bytes, and if the renamed counter exceeds this maximum length, the policy framework software might reject it.

Example: Configuring Interface-Specific Counters

Configure an interface-specific counter:

[edit firewall]family inet {filter test {interface-specific;term 1 {from {address {10.0.0.0/12;}protocol tcp;}then {count sample1;accept;}}}}

When you apply this filter to the input interface of at-1/1/1.0 and the output interface of so-2/2/2.2, the counters are named sample1-at-1/1/1.0-i and sample1-so-2/2/2/.2-o. The suffixes -i (input) and -o (output) are added to the counter names automatically.

The Junos OS does not sample packets originating from the router. If you configure a filter and apply it to the output side of an interface, then only the transit packets going through that interface are sampled. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled.

Defining Interface Groups

When applying a firewall filter, you can define an interface to be part of an interface group. Packets received on that interface are tagged as being part of the group. You then can match these packets using the interface-group match statement, as described in Configuring IPv4 Match Conditions. The interface-group match statement is supported only by the IPv4, IPv6, circuit cross-connects (CCC), and VPLS protocol families.

To define an interface to be part of an interface group, include the group statement at the [edit interfaces interface-name unit logical-unit-number family family-name filter] hierarchy level:

[edit interfaces interface-name unit logical-unit-number family filter]group group-number;input filter-name;output filter-name;

In the group statement, specify the interface group number to be associated with the filter.

In the input statement, list the name of one firewall filter to be evaluated when packets are received on the interface.

In the output statement, list the name of one firewall filter to be evaluated when packets are transmitted on the interface.

Note: The Junos OS also supports defining interface sets to which to you can apply a firewall filter. An interface set lets you define a group a set of logical interfaces and apply hierarchical schedulers for class of services (CoS) to the interface set. For more information about the interface-set interface-set-name firewall filter match condition, see Configuring IPv4 Match Conditions. The interface-set match condition is supported by the IPv4, IPv6, and protocol-independent protocol families and on MX Series routers only. For more information about configuring hierarchical schedulers for CoS, see the Junos Class of Service Configuration Guide.

Example: Defining Interface Groups

Create a filter that contains an interface group:

[edit firewall]family inet {filter if-group {term group1 {from {interface-group 1;address {192.168.80.114/32;}protocol tcp;port finger;}then {count if-group-counter1;log;reject;}}term group-2 {then {count if-group-counter2;log;accept;}}}}

Assign one or more interfaces to the interface group referenced in the filter:

[edit interfaces]fxp0 {unit 0 {family inet {filter {group 1;}address 192.168.5.38/24;}}}

Apply the filter that contains an interface group:

[edit interfaces]lo0 {unit 0 {family inet {filter {input if-group;group 1;}address 10.0.0.1/32;address 192.168.77.1/32;}}}

Related Topics

Published: 2010-07-16

Help
|
My Account
|
Log Out