Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Guidelines for Configuring Simple Filters

Statement Hierarchy for Configuring Simple Filters

To configure a simple filter, include the simple-filter simple-filter-name statement at the [edit firewall family inet] hierarchy level.

Individual statements supported under the simple-filter simple-filter-name statement are described separately in this topic and are illustrated in the example of configuring and applying a simple filter.

Simple Filter Protocol Families

You can configure simple filters to filter IPv4 traffic (family inet) only. No other protocol family is supported for simple filters.

Simple Filter Names

Under the family inet statement, you can include simple-filter simple-filter-name statements to create and name simple filters. The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

Simple Filter Terms

Under the simple-filter simple-filter-name statement, you can include term term-name statements to create and name filter terms.

  • You must configure at least one term in a firewall filter.

  • You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

  • The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the insert configuration mode command to reorder the terms of a firewall filter.

Simple filters do not support the next term action.

Simple Filter Match Conditions

Simple filter terms support only a subset of the IPv4 match conditions that are supported for standard stateless firewall filters.

Unlike standard stateless firewall filters, the following restrictions apply to simple filters:

  • On MX Series routers with the Enhanced Queuing DPC and on EX Series switches, simple filters do not support the forwarding- class match condition.

  • Simple filters support only one source-address and one destination-address prefix for each filter term. If you configure multiple prefixes, only the last one is used.

  • Simple filters do not support multiple source addresses and destination addresses in a single term. If you configure multiple addresses, only the last one is used.

  • Simple filters do not support negated match conditions, such as the protocol-except match condition or the exception keyword.

  • Simple filters support a range of values for source-port and destination-port match conditions only. For example, you can configure source-port 400-500 or destination-port 600-700.

  • Simple filters do not support noncontiguous mask values.

Table 1 lists the simple filter match conditions.

Table 1: Simple Filter Match Conditions

Match Condition

Description

destination-address destination-address

Match IP destination address.

destination-port number

TCP or UDP destination port field.

If you configure this match condition, we recommend that you also configure the protocol match statement to determine which protocol is being used on the port.

In place of the numeric value, you can specify one of the following text aliases (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

forwarding-class class

Match the forwarding class of the packet.

Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues.

protocol number

IP protocol field. In place of the numeric value, you can specify one of the following text aliases (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

source-address ip-source-address

Match the IP source address.

source-port number

Match the UDP or TCP source port field.

If you configure this match condition, we recommend that you also configure the protocol match statement to determine which protocol is being used on the port.

In place of the numeric field, you can specify one of the text aliases listed for destination-port.

Simple Filter Terminating Actions

Simple filters do not support explicitly configurable terminating actions, such as accept, reject, and discard. Terms configured in a simple filter always accept packets.

Simple filters do not support the next action.

Simple Filter Nonterminating Actions

Simple filters support only the following nonterminating actions:

  • forwarding-class (forwarding-class | assured-forwarding |best-effort | expedited-forwarding | network-control)

    Note:

    On the MX Series routers and EX Series switches with the Enhanced Queuing DPC, the forwarding class is not supported as a from match condition.

  • loss-priority (high | low | medium-high | medium-low)

Simple filters do not support actions that perform other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality).

Related Documentation