Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Using Firewall Filter Chains

This example shows the use of firewall filter chains. Firewall filters filter1, filter2, and filter3, are applied to interface ge-0/1/1.0 using the input-chain and the output-chain configuration statements.

Requirements

Before you begin:

  • You should have a MX Series router with MPCs and running Junos release 18.4R1 or later.

    If you are using PTX10001-36MR, PTX10004, PTX10008, or PTX10016 routers for this feature, install Junos OS Evolved Release 21.4R1.

  • The router should be configured for IP version 4 (IPv4) protocol (family inet) and configured the logical interface with an interface address. All other initial router configurations should be complete, with basic IPv4 connectivity between the devices confirmed.

  • The traffic you send should be compatible with the firewall filter rules so the rules you configure can match the test traffic you send.

Overview

This examples shows how to chain multiple firewall filters for both ingress and egress so they can be applied to a given interface and evaluated in sequence. The order of execution occurs in the same order as the chain, from left to right.

Using filter chains (as opposed to input-list filter) has the advantage of allowing multiple levels of filtering, such as using an initial filter to perform generic classification (such as QoS), and then one or more subsequent filters for additional refinement (such as security) because they avoid the inherit conflict that can come when IP addresses used in the evaluation overlap.

Starting from Junos OS Evolved Release 21.4R1, you can use firewall filter chains on PTX10001-36MR, PTX10004, PTX10008, and PTX10016 routers.

You can apply the filter chain as follows:

set interfaces interface-name unit unit family inet filter input-chain [filter1 filter2 filter3];

set interfaces interface-name unit unit family inet filter output-chain [filter1 filter2 filter3];

On PTX Evo platforms, the feature has the following limitations:

  • You can configure only the first filter in a chain of filters as interface specific. On MX Series routers, you can configure all filters in a chain of filters as interface specific.

  • You cannot configure the same filters as part of a regular CLI filter and chain filters on the same interface specific bind point. On such interface specific bind points, replace the existing CLI filter with filter chains or vice-versa and commit them separately, to avoid an error.

  • You cannot configure chain filters along with “family ANY” and interface-policers on the same bind point.

  • On loopback interfaces, output chain filters are not supported.

  • On loopback interfaces, you cannot configure both input CLI regular filter and chain filters.

  • For IRB interfaces, you cannot configure both regular CLI interface-specific filter and filter chains.

  • For Layer 2 SP style output, you cannot configure both regular CLI interface specific filter and chain filters.

  • Filters such as fast-lookup-filter are not supported as part of CLI chain filters.

  • CLI filters chains are not supported for Urpf-fail-filters.

  • As egress filters for MPLS family are supported as fast-lookup-filter only and chain filters do not support fast-lookup-filters, relevant commit check will be provided while configuring the family MPLS egress chain filters.

Topology

In this example, you configure multiple firewall filters and then apply them in sequence by chaining them to a given interface. This example uses ge-0/1/1.0 configured with the IP address 172.16.1.1/30 for both the input and output chain. If a packet does not match any of the filters in the chain list, the packet is dropped.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level. The filter names used here are filter1, and so on, while the term names are t1_f1 (term1, using filter1), and so on.

Configure IPv4 Firewall Filters

Here we configure the firewall filters. Each has different match conditions and count actions. The first two filters have multiple terms with the non-terminating action of count, which means matching packets will be passed on to the next filter in the chain, while the third has an action of accept. Packets that don't match any of the specified conditions would be dropped.

Step-by-Step Procedure

To configure the firewall filters:

  1. Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters.

  2. Configure the first firewall filter to count TCP packets, or packets with a precedence of 7, before sending them on to the next filter in the chain.

  3. Configure the second firewall filter to count DSCP packets, or packets with a source port of 1020, before sending them on to the next filter in the chain.

  4. Configure the last firewall filter to count and accept packets with a destination address of 172.30.1.1/32, or a destination port of 5454.

Apply the Chain of Input Filters

Here we attach the firewall filters to a given interface. The order of execution occurs in the same order as the chain, from left to right.

Step-by-Step Procedure

To assign the interface an IP address:

  1. Navigate to the interface we are using for the filters, ge-0/1/1.0.

  2. Assign an IPv4 address to the logical interface.

  3. Apply the filters as a list of input filters.

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

To confirm and then commit your candidate configuration:

  1. Confirm the configuration of the firewall filters by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  2. Confirm the configuration of the interface by entering the show interfaces configuration mode command.

  3. If you are done configuring the device, commit the configuration.

Verification

Confirm that the configuration works as expected, that is, that the matching traffic is evaluated by each of the filters filter1, filter2, and filter3, and that the expected action (count or accept) has been taken.

Send Traffic Through the Firewall Filters

Purpose

Send traffic from one device to the router you have configured to see whether matching packets are being evaluated by all relevant filters in the chain.

Action

To verify that input packets are evaluated by filter1, filter2, and filter3:

  1. From the remote host that is connected to ge-0/1/1.0, send a packet with a precedence of 7. The packet should be counted and then evaluated by filter2.

  2. From the remote host that is connected to ge-0/1/1.0, send a packet with DSCP value of 0. The packet should be counted and then evaluated by filter3.

  3. From the remote host that is connected to ge-0/1/1.0, send a packet with a destination address of 172.30.1.1/32 and a destination port number of 5454. The packet should be counted and then accepted.

  4. To display counter information for the filters you configured, enter the show firewall filter filter-name operational mode command. The command output displays the number of bytes and packets that match filter terms associated with the counters.