ON THIS PAGE
Example: Configuring a Filter to Count Accepted and Rejected Packets
This example shows how to configure a firewall filter to count packets.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you use a stateless firewall filter to reject all addresses except 192.168.5.0/24.
Topology
In the first term, the match condition address 192.168.5.0/24 except causes this address to be considered a mismatch, and this address
is passed to the next term in the filter. The match condition address 0.0.0.0/0 matches all other packets, and these are
counted, logged, and rejected.
In the second term, all packets that passed though the first
term (that is, packets whose address matches 192.168.5.0/24) are counted, logged, and accepted.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configure the Stateless Firewall Filter
- Apply the Stateless Firewall Filter to a Logical Interface
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set firewall family inet filter fire1 term 1 from address 192.168.5.0/24 except set firewall family inet filter fire1 term 1 from address 0.0.0.0/0 set firewall family inet filter fire1 term 1 then count reject_pref1_1 set firewall family inet filter fire1 term 1 then log set firewall family inet filter fire1 term 1 then reject set firewall family inet filter fire1 term 2 then count reject_pref1_2 set firewall family inet filter fire1 term 2 then log set firewall family inet filter fire1 term 2 then accept set interfaces ge-0/0/1 unit 0 family inet filter input fire1 set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.3/30
Configure the Stateless Firewall Filter
Step-by-Step Procedure
To configure the stateless firewall filter fire1:
Create the stateless firewall filter
fire1.[edit] user@host# edit firewall family inet filter fire1
Configure the first term to reject all addresses except those to or from the
192.168.5.0/24prefix and then count, log, and reject all other packets.[edit firewall family inet filter fire1] user@host# set term 1 from address 192.168.5.0/24 except user@host# set term 1 from address 0.0.0.0/0 user@host# set term 1 then count reject_pref1_1 user@host# set term 1 then log user@host# set term 1 then reject
Configure the next term to count, log, and accept packets in the
192.168.5.0/24prefix.[edit firewall family inet filter fire1] user@host# set term 2 then count reject_pref1_2 user@host# set term 2 then log user@host# set term 2 then accept
Apply the Stateless Firewall Filter to a Logical Interface
Step-by-Step Procedure
To apply the stateless firewall filter to a logical interface:
Configure the logical interface to which you will apply the stateless firewall filter.
[edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet
Configure the interface address for the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1.2.3/30
Apply the stateless firewall filter to the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input fire1
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the stateless firewall filter by entering the
show firewallconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter fire1 { term 1 { from { address { 192.168.5.0/24 except; 0.0.0.0/0; } } then { count reject_pref1_1; log; reject; } } term 2 { then { count reject_pref1_2; log; accept; } } } }Confirm the configuration of the interface by entering the
show interfacesconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input fire1; } address 10.1.2.3/30; } } }If you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
To confirm that the configuration is working properly,
enter the show firewall filter fire1 operational mode command. You can also display
the log and individual counters separately by using the following
forms of the command:
show firewall counter reject_pref1_1show firewall counter reject_pref1_2