Understanding Firewall Filter Match Conditions
Before you define terms for firewall filters, you must understand how the conditions in a term are handled and how to specify interface, numeric, address, and bit-field filter match conditions to achieve the desired filter results.
Filter Match Conditions
In the from
statement of a firewall
filter term, you specify the conditions that the packet
must match for the action in the then
statement to be taken.
All conditions must match for the action to be implemented. The order
in which you specify match conditions is not important, because a
packet must match all the conditions in a term for a match to occur.
If you specify multiple values for the same condition, a match
on any one of those values matches that condition. For example, if
you specify multiple IP source addresses using the source-address
statement, a packet that contains any one of those IP source addresses
matches the condition. In some cases you can specify multiple values
for the same condition by enclosing the possible values in square
brackets, as in:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set protocol (icmp | udp)
In other cases you must enter multiple statements, as in:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-address 10.1.1.1 user@switch# set source-address 10.1.1.2
If you specify no match conditions in a term, that term matches all packets.
Unlike traditional Junos OS firewall filters, you cannot use except
in a condition statement to negate the condition.
Numeric Filter Match Conditions
You can specify numeric filter match conditions that are identified by a numeric value, such as port and protocol numbers. For numeric filter match conditions, you specify the condition and a single value that a field in a packet must contain to be considered a match.
You can specify the numeric value in one of the following ways:
Single number—A match occurs if the value of the field matches the number. For example, to match Telnet traffic:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-port 23
Text synonym for a single number—A match occurs if the value of the field matches the number that corresponds to the synonym. For example, to match Telnet traffic:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-port telnet
To specify multiple values for the same match condition in a filter term, enter each value in its own match statement. For example, a match occurs in the following term if the value of the source port in the packet is 22 or 23.
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-port 22 user@switch# set source-port 23
Interface Filter Match Conditions
You can specify an interface filter match condition to match
an interface on which a packet is received or transmitted. In this
example, the final character (0
) specifies the logical
unit. You can include the wildcard (*
) as part of the interface
name. For example:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set interface ge-0/*/6.0 user@switch# set interface ge-0/1/*.0 user@switch# set interface ge-0/0/6.*
Note that you must specify a value or a wildcard for the logical unit.
IP Address Filter Match Conditions
You can specify an address filter match condition to match an IP source or destination address or prefix in a packet. Specify the address or prefix type and the address or prefix itself. For example:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-address 10.2.1.0/24;
If you omit the prefix length, it defaults to /32
. For example:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-address 10 [edit firewall family family-name filter filter-name term term-name from] user@switch# show destination-address { 10.0.0.0/32; }
To specify more than one IP address or prefix in a filter term, enter each address or prefix in its own match statement. For example, a match occurs in the following term if the source address of a packet matches either of the following prefixes:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-address 10.1.0.0/16 user@switch# set source-address 10.2.0.0/16
Bit-Field Filter Match Conditions
You can specify bit-field filter match conditions to match particular bits within certain fields in Ethernet frames and IP, TCP, UDP, and ICMP headers. You usually specify the field and the bit within the field that must be set in a packet to be considered a match.
In most cases you can use a keyword to specify the bit you
want to match on. For example, to match on a TCP SYN packet you can
enter syn
, as in:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags syn
You can also enter 0x02
because the SYN bit is the
third least-significant bit of the 8-bit tcp-flags field:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags 0x02
To match multiple bit-field values, use the logical operators, which are described in Table 1. The operators are listed in order from highest precedence to lowest precedence. Operations are evaluated from left to right.
Logical Operators |
Description |
---|---|
|
Negation |
|
Logical AND |
|
Logical OR |
If you use a logical operator, enclose the values in quotation marks and do not include any spaces. For example, the following statement matches the second packet of a TCP handshake:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "syn&ack"
To negate a match, precede the value with an exclamation point. For example, the following statement matches only the initial packet of a TCP handshake:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "syn&!ack"
You can use text synonyms to specify some common bit-field matches. For example, the following statement also matches the initial packet of a TCP handshake:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-initial