[Contents] [Prev] [Next] [Index] [Report an Error]

Summary of Stateful Firewall Filter and NAT Match Conditions and Actions

Table 90 lists the match conditions you can specify in stateful firewall filter and NAT terms. Table 91 and Table 92 list actions you can specify in stateful firewall filter and NAT terms.

Table 90: Stateful Firewall Filter and NAT Match Conditions

Match Condition	Description
application-sets [ set-names ]	List of application set names. Application sets are defined at the [edit applications] hierarchy level.
applications [ application-names ]	List of applications. Applications are defined at the [edit applications] hierarchy level.
destination-address address	IP destination address field.
source-address address	IP source address field.

For more information about configuring applications and application sets for stateful firewall filters, see the JUNOS Services Interfaces Configuration Guide.

Table 91: Stateful Firewall Filter Actions

Actions	Description
accept	Accept the packet and send it to its destination.
allow-ip-options [ values ]	If the IP Option header of the packet contains a value that matches one of the specified values, accept the packet. If this action is not included, only packets without IP options are accepted. This action can be specified only with the accept action. You can specify the IP option as text or a numeric value: any (0), ip-security (130), ip-stream (8), loose-source-route (3), route-record (7), router-alert (148), strict-source-route (9), and timestamp (4).
discard	Do not accept the packet, and do not process it further.
reject	Do not accept the packet, and send a rejection message. UDP sends an ICMP unreachable code and RCP sends RST. Rejected packets can be logged or sampled.
syslog	Record information in the system logging facility. This action can be used with all options except discard.

Table 92: NAT Actions

Actions	Description
syslog	Record information in the system logging facility.
translated destination-pool nat-pool-name	Translate the destination address using the specified pool.
translated source-pool nat-pool-name	Translate the source address using the specified pool.
translation-type (destination type \| source type)	Translate the destination and source port using the specified type: destination static—Translate the destination address without port mapping. This type requires the size of the source address space to be the same as the size of the destination address space. You must specify a destination-pool name. The referenced pool must contain exactly one address and no port configuration at the [edit nat pool] hierarchy level. source dynamic—Translate the source address with port mapping by means of NAPT. You must specify a source-pool name. The referenced pool must include a port configuration at the [edit nat pool] hierarchy level. source static—Translate the source address without port mapping. This type requires the size of the source address space to be the same as the size of the destination address space. You must specify a source-pool name. The referenced pool must contain exactly one address and no port configuration at the [edit nat pool] hierarchy level.
syslog	Information is recorded in the system logging facility.

[Contents] [Prev] [Next] [Index] [Report an Error]