For best results, use the following sections to plan the purpose and contents of a stateless firewall filter before starting configuration.
A primary goal of a typical stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets. You can configure a firewall filter like the sample filter protect-RE to restrict traffic destined for the Routing Engine based on its source, protocol, and application. In addition, you can limit the traffic rate of packets destined for the Routing Engine to protect against flood, or denial-of-service (DoS), attacks.
For details, see Configuring a Routing Engine Firewall Filter for Services and Protocols from Trusted Sources and Configuring a Routing Engine Firewall Filter to Protect Against TCP and ICMP Floods.
You can configure a stateless firewall filter like the sample filter fragment-filter to address special circumstances associated with fragmented packets destined for the Routing Engine. Because the Services Router evaluates every packet against a firewall filter (including fragments), you must configure the filter to accommodate fragments that do not contain packet header information. Otherwise, the filter discards all but the first fragment of a fragmented packet.
For details, see Configuring a Routing Engine Firewall Filter to Handle Fragments.