[Contents] [Prev] [Next] [Index] [Report an Error]

Stateless Firewall Filter Match Conditions, Actions, and Action Modifiers

Table 60 lists the match conditions you can specify in stateless firewall filter terms. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. For a complete list of the synonyms, do any of the following:

To specify a bit-field match condition with values, such as tcp-flags, you must enclose the values in quotation marks (“ “). You can use bit-field logical operators to create expressions that are evaluated for matches. For example, if the following expression is used in a filter term, a match occurs if the packet is the initial packet of a TCP session:

tcp-flags “syn & !ack”

Table 61 lists the bit-field logical operators in order of highest to lowest precedence.

You can use text synonyms to specify some common bit-field matches. In the previous example, you can specify tcp-initial to specify the same match condition.

When the Services Router compares the stateless firewall filter match conditions to a packet, it compares only the header fields specified in the match condition. There is no implied protocol match. For example, if you specify a match of destination-port ssh, the Services Router checks for a value of 0x22 in the 2-byte field that is two bytes after the IP packet header. The protocol field of the packet is not checked.

Table 60: Stateless Firewall Filter Match Conditions

Numeric Range Match Conditions

keyword-except

Negates a match. For example, destination-port-except number.

The following keywords accept the -except extension: destination-port, dscp, esp-spi, forwarding-class, fragment-offset, icmp-code, icmp-type, interface-group, ip-options, packet-length, port, precedence, protocol and source-port.

destination-port number

TCP or User Datagram Protocol (UDP) destination port field. You cannot specify both the port and destination-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port.

In place of the numeric value, you can specify a text synonym. For example, you can specify telnet or 23.

esp-spi spi-value

IPSec encapsulating security payload (ESP) security parameter index (SPI) value. Match on this specific SPI value. You can specify the ESP SPI value in either hexadecimal, binary, or decimal form.

forwarding-class class

Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

fragment-offset number

Fragment offset field.

icmp-code number

ICMP code field. Normally, you specify this match in conjunction with the protocol icmp match statement to determine which protocol is being used on the port.

This value or keyword provides more specific information than icmp-type. Because the value's meaning depends on the associated icmp-type, you must specify icmp-type along with icmp-code.

In place of the numeric value, you can specify a text synonym. For example, you can specify ip-header-bad or 0.

icmp-type number

ICMP packet type field. Normally, you specify this match in conjunction with the protocol icmp match statement to determine which protocol is being used on the port.

In place of the numeric value, you can specify a text synonym. For example, you can specify time-exceeded or 11.

interface-group group-number

Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuration interface groups, see the JUNOS Policy Framework Configuration Guide.

packet-length bytes

Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.

port number

TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port.

In place of the numeric value, you can specify a text synonym. For example, you can specify bgp or 179.

precedence ip-precedence-field

IP precedence field. You can specify precedence in either hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify a text synonym. For example, you can specify immediate or 0x40.

protocol number

IP protocol field. In place of the numeric value, you can specify a text synonym. For example, you can specify ospf or 89.

source-port number

TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. Normally, you specify this match in conjunction with the protocol tcp or protocol udp match statement to determine which protocol is being used on the port.

In place of the numeric value, you can specify a text synonym. For example, you can specify http or 80.
Address Match Conditions

address prefix

IP source or destination address field. You cannot specify both the address and the destination-address or source-address match conditions in the same term.

destination-address prefix

IP destination address field. You cannot specify the destination-address and address match conditions in the same term.

destination-prefix-list prefix-list

IP destination prefix list field. You cannot specify the destination-prefix-list and prefix-list match conditions in the same term.

prefix-list prefix-list

IP source or destination prefix list field. You cannot specify both the prefix-list and the destination-prefix-list or source-prefix-list match conditions in the same term.

source-address prefix

IP source address field. You cannot specify the source-address and address match conditions in the same rule.

source-prefix-list prefix-list

IP source prefix list field. You cannot specify the source-prefix-list and prefix-list match conditions in the same term.
Bit-Field Match Conditions with Values

fragment-flags number

IP fragmentation flags. In place of the numeric value, you can specify a text synonym. For example, you can specify more-fragments or 0x2000.

ip-options number

IP options. In place of the numeric value, you can specify a text synonym. For example, you can specify record-route or 7.

tcp-flags number

TCP flags. Normally, you specify this match in conjunction with the protocol tcp match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify a text synonym. For example, you can specify syn or 0x02.
Bit-Field Text Synonym Match Conditions

first-fragment

First fragment of a fragmented packet. This condition does not match unfragmented packets.

is-fragment

This condition matches if the packet is a trailing fragment. It does not match the first fragment of a fragmented packet. To match both first and trailing fragments, you can use two terms, or you can use fragment-offset 0-8191.

tcp-established

TCP packets other than the first packet of a connection. This match condition is a synonym for "(ack | rst)".

This condition does not implicitly check that the protocol is TCP. To do so, specify the protocol tcp match condition.

tcp-initial

First TCP packet of a connection. This match condition is a synonym for "(syn & !ack)".

This condition does not implicitly check that the protocol is TCP. To do so, specify the protocol tcp match condition.

Table 61: Stateless Firewall Filter Bit-Field Logical Operators

(...)

Grouping

!

Negation

& or +

Logical AND

| or ,

Logical OR

Table 62 lists the actions and action modifiers you can specify in stateless firewall filter terms.

Table 62: Stateless Firewall Filter Actions and Action Modifiers

accept

Accepts a packet. This is the default if the packet matches. However, we strongly recommend that you always explicitly configure an action in the then statement.

discard

Discards a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Packets are available for logging and sampling before being discarded.

next term

Continues to the next term for evaluation.

reject <message-type>

Discards a packet, sending an ICMP destination unreachable message. Rejected packets are available for logging and sampling. You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a TCP reset is returned if the packet is a TCP packet. Otherwise, nothing is returned.

routing-instance routing-instance

Routes the packet using the specified routing instance.
Action Modifiers

count counter-name

Counts the number of packets passing this term. The name can contain letters, numbers, and hyphens (-), and can be up to 24 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter.

forwarding-class class-name

Classifies the packet to the specified forwarding class.

log

Logs the packet's header information in the Routing Engine. You can access this information by entering the show firewall log command at the CLI.

loss-priority priority

Sets the scheduling priority of the packet. The priority can be low or high.

policer policer-name

Applies rate limits to the traffic using the named policer.

sample

Samples the traffic on the interface. Use this modifier only when traffic sampling is enabled. For more information, see the JUNOS Policy Framework Configuration Guide.

syslog

Records information in the system logging facility. This action can be used in conjunction with all options except discard.

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]