ON THIS PAGE
Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags
This example shows how to configure a standard stateless firewall filter to accept packets from a trusted source.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you create a filter that accepts packets with specific IPv6 TCP flags.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
- CLI Quick Configuration
- Configure the Stateless Firewall Filter
- Apply the Firewall Filter to the Loopback Interface
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following
commands into a text file, remove any line breaks, and then paste
the commands into the CLI at the [edit] hierarchy level.
set firewall family inet6 filter tcp_filter term 1 from next-header tcp set firewall family inet6 filter tcp_filter term 1 from tcp-flags syn set firewall family inet6 filter tcp_filter term 1 then count tcp_syn_pkt set firewall family inet6 filter tcp_filter term 1 then log set firewall family inet6 filter tcp_filter term 1 then accept set interfaces lo0 unit 0 family inet6 filter input tcp_filter set interfaces lo0 unit 0 family inet6 address ::10.34.1.0/120
Configure the Stateless Firewall Filter
Step-by-Step Procedure
To configure the firewall filter
Create the IPv6 stateless firewall filter tcp_filter.
[edit] user@host# edit firewall family inet6 filter tcp_filter
Specify that a packet matches if it is the initial packet in a TCP session and the next header after the IPv6 header is type TCP.
[edit firewall family inet6 filter tcp_filter] user@host# set term 1 from next-header tcp user@host# set term 1 from tcp-flags syn
Specify that matched packets are counted, logged to the buffer on the Packet Forwarding Engine, and accepted.
[edit firewall family inet6 filter tcp_filter] user@host# set term 1 then count tcp_syn_pkt user@host# set term 1 then log user@host# set term 1 then accept
Apply the Firewall Filter to the Loopback Interface
Step-by-Step Procedure
To apply the firewall filter to the loopback interface:
[edit] user@host# set interfaces lo0 unit 0 family inet6 filter input tcp_filter user@host# set interfaces lo0 unit 0 family inet6 address ::10.34.1.0/120
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the stateless firewall filter by entering the
show firewallconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet6 { filter tcp_filter { term 1 { from { next-header tcp; tcp-flags syn; } then { count tcp_syn_pkt; log; accept; } } } }Confirm the configuration of the interface by entering the
show interfacesconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces lo0 { unit 0 { family inet6 { filter { input tcp_filter; } address ::10.34.1.0/120; } } }When you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
To confirm that the configuration is working properly, enter the show firewall operational mode command.