Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Stateless Firewall Filter Match Conditions
Table 18 and Table 19 list the match conditions you can specify in stateless firewall filter terms.
 | Note: When the device compares the stateless firewall filter match conditions to a packet, it compares only the header fields specified in the match condition. There is no implied protocol match. For example, if you specify a match of destination-port ssh, the device checks for a value of 0x22 in the 2-byte field that is two bytes after the IP packet header. The protocol field of the packet is not checked. |
Table 18: IPv4 Stateless Firewall Filter Match Conditions
Match Condition | Description |
|---|---|
| Numeric Range Match Conditions | |
keyword-except | Negates a match—for example, destination-port-except number. The following keywords accept the -except extension: destination-port, dscp, esp-spi, forwarding-class, fragment-offset, icmp-code, icmp-type, interface-group, ip-options, packet-length, port, precedence, protocol, and source-port. |
destination-port number | Matches a TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify telnet or 23. |
esp-spi spi-value | Matches an IPsec ESP SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form. |
forwarding-class class | Matches a forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. |
fragment-offset number | Matches the fragment offset field. |
icmp-code number | Matches the ICMP code field. Normally, you specify this match condition in conjunction with the protocol icmp match statement to determine which protocol is being used on the port. This value or keyword provides more specific information than icmp-type. Because the value's meaning depends on the associated icmp-type, you must specify icmp-type along with icmp-code. In place of the numeric value, you can specify a text synonym. For example, you can specify ip-header-bad or 0. |
icmp-type number | Matches the ICMP packet type field. Normally, you specify this match condition in conjunction with the protocol icmp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify time-exceeded or 11. |
interface-group group-number | Matches the interface group on which the packet was received. An interface group is a set of one or more logical interfaces. |
packet-length bytes | Matches the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. |
port number | Matches a TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term. Normally, you specify this match condition in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify bgp or 179. |
precedence ip-precedence-field | Matches the IP precedence field. You can specify precedence in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify a text synonym. For example, you can specify immediate or 0x40. |
protocol number | Matches the IP protocol field. In place of the numeric value, you can specify a text synonym. For example, you can specify ospf or 89. |
source-port number | Matches the TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. Normally, you specify this match condition in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify http or 80. |
| Address Match Conditions | |
address prefix | Matches the IP source or destination address field. You cannot specify both the address and the destination-address or source-address match conditions in the same term. |
destination-address prefix | Matches the IP destination address field. You cannot specify the destination-address and address match conditions in the same term. |
destination-prefix-list prefix-list | Matches the IP destination prefix list field. You cannot specify the destination-prefix-list and prefix-list match conditions in the same term. |
prefix-list prefix-list | Matches the IP source or destination prefix list field. You cannot specify both the prefix-list and the destination-prefix-list or source-prefix-list match conditions in the same term. |
source-address prefix | Matches the IP source address field. You cannot specify the source-address and address match conditions in the same rule. |
source-prefix-list prefix-list | Matches the IP source prefix list field. You cannot specify the source-prefix-list and prefix-list match conditions in the same term. |
| Bit-Field Match Conditions with Values | |
fragment-flags number | Matches an IP fragmentation flag. In place of the numeric value, you can specify a text synonym. For example, you can specify more-fragments or 0x2000. |
ip-options number | Matches an IP option. In place of the numeric value, you can specify a text synonym. For example, you can specify record-route or 7. |
tcp-flags number | Matches a TCP flag. Normally, you specify this match condition in conjunction with the protocol tcp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify syn or 0x02. |
| Bit-Field Text Synonym Match Conditions | |
first-fragment | Matches the first fragment of a fragmented packet. This condition does not match unfragmented packets. |
is-fragment | Matches the trailing fragment of a fragmented packet. It does not match the first fragment of a fragmented packet. To match both first and trailing fragments, you can use two terms, or you can use fragment-offset 0-8191. |
tcp-established | Matches a TCP packet other than the first packet of a connection. This match condition is a synonym for "(ack | rst)". This condition does not implicitly check that the protocol is TCP. To do so, specify the protocol tcp match condition. |
tcp-initial | Matches the first TCP packet of a connection. This match condition is a synonym for "(syn & !ack)". This condition does not implicitly check that the protocol is TCP. To do so, specify the protocol tcp match condition. |
Table 19: IPv6 Stateless Firewall Filter Match Conditions
Match Condition | Description |
|---|---|
| Numeric Range Match Conditions | |
keyword-except | Negates a match—for example, destination-port-except number. The following keywords accept the -except extension: destination-port, dscp, esp-spi, forwarding-class, fragment-offset, icmp-code, icmp-type, interface-group, ip-options, packet-length, port, precedence, protocol, and source-port. |
destination-port number | Matches a TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify telnet or 23. |
source-port number | Matches the TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. Normally, you specify this match condition in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify http or 80. |
forwarding-class class | Matches a forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. Note: |
icmp-code number | Matches the ICMP code field. Normally, you specify this match condition in conjunction with the protocol icmp match statement to determine which protocol is being used on the port. This value or keyword provides more specific information than icmp-type. Because the value's meaning depends on the associated icmp-type, you must specify icmp-type along with icmp-code. In place of the numeric value, you can specify a text synonym. For example, you can specify ip-header-bad or 0. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
icmp-type number | Matches the ICMP packet type field. Normally, you specify this match condition in conjunction with the protocol icmp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify time-exceeded or 11. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
interface-group group-number | Matches the interface group on which the packet was received. An interface group is a set of one or more logical interfaces. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
packet-length bytes | Matches the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
port number | Matches a TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term. Normally, you specify this match condition in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify bgp or 179. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
| Address Match Conditions | |
destination-address prefix | Matches the IP destination address field. You cannot specify the destination-address and address match conditions in the same term. |
source-address prefix | Matches the IP source address field. You cannot specify the source-address and address match conditions in the same rule. |
| Bit-Field Match Conditions with Values | |
tcp-flags number | Matches a TCP flag. Normally, you specify this match condition in conjunction with the protocol tcp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify syn or 0x02. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
| Bit-Field Text Synonym Match Conditions | |
tcp-established | Matches a TCP packet other than the first packet of a connection. This match condition is a synonym for "(ack | rst)". This condition does not implicitly check that the protocol is TCP. To do so, specify the protocol tcp match condition. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
tcp-initial | Matches the first TCP packet of a connection. This match condition is a synonym for "(syn & !ack)". This condition does not implicitly check that the protocol is TCP. To do so, specify the protocol tcp match condition. Note: Applies to SRX100, SRX210, SRX240, and SRX650 devices only. |
To specify a bit-field match condition with values, such as tcp-flags, you must enclose the values in quotation marks (“ “). You can use bit-field logical operators to create expressions that are evaluated for matches. For example, if the following expression is used in a filter term, a match occurs if the packet is the initial packet of a TCP session:
You can use text synonyms to specify some common bit-field matches. In the previous example, you can specify tcp-initial as the same match condition.
| Some of the numeric range and bit-field match conditions allow you to specify a text synonym. For a complete list of synonyms:
|
Table 20 lists the bit-field logical operators in order of highest to lowest precedence.
Table 20: Stateless Firewall Filter Bit-Field Logical Operators
Logical Operator | Description |
|---|---|
(...) | Grouping |
! | Negation |
& or + | Logical AND |
| or , | Logical OR |
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Configuring IPv4 Match Conditions in the Junos Policy Framework Configuration Guide
- Configuring IPv6 Match Conditions in the Junos Policy Framework Configuration Guide
- How to Specify Firewall Filter Match Conditions in the Junos Policy Framework Configuration Guide
