Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Stateless Firewall Filter Configuration Overview
Before you create a stateless firewall filter, determine your objectives:
- Purpose of the firewall filter—For example, the purpose might be to limit traffic to certain protocols, IP source or destination addresses, or data rates, or to prevent denial-of-service (DoS) attacks.
- Appropriate packet header fields to match—For example, you might want to match IP header fields (such as source and destination IP addresses, protocols, and IP options), TCP header fields (such as source and destination ports and flags), or ICMP header fields (such as ICMP packet type and code).
- Action to take if a match occurs—For example, you might want to accept, discard, or evaluate the next term.
- (Optional) Action modifiers (additional actions to take if a packet matches)—For example, you might want to count, log, rate limit, or police a packet.
- Interface on which the firewall filter is applied—For example, you might want the input or output side, or both sides, of the Routing Engine interface or a non-Routing Engine interface.
To create the firewall filter:
- Create and configure the filter. (Unlike a stateful
firewall filter, you can configure a stateless firewall filter before
configuring the interfaces on which the filter is applied.) See:
- Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources
- Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
- Configuring Firewall Filters in the Junos Policy Framework Configuration Guide
- Configuring Standard Firewall Filters in the Junos Policy Framework Configuration Guide
- Apply the filter to an interface. You can
apply a stateless firewall to the input or output sides, or both,
of an interface.
- To filter packets transiting the device, apply the firewall filter to any non-Routing Engine interface.
- To filter packets originating from, or destined for, the Routing Engine, apply the firewall filter to the loopback (lo0) interface.
See Applying Firewall Filters to Interfaces in the Junos Policy Framework Configuration Guide.
 | Caution: If a packet does not match any terms in a firewall filter rule, the packet is discarded. Avoid configuring a stateless firewall filter that prevents you from accessing the device after you commit the configuration. For example, if you configure a firewall filter that does not match HTTP or HTTPS packets, you cannot access the device with the J-Web interface. |
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
