[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Stateless Firewall Filter Actions and Action Modifiers

Table 70 lists the actions and action modifiers you can specify in stateless firewall filter terms.

Table 70: Stateless Firewall Filter Actions and Action Modifiers

Action or Action Modifier

Description

accept

Accepts a packet. This is the default if the packet matches. However, we strongly recommend that you always explicitly configure an action in the then statement.

discard

Discards a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Packets are available for logging and sampling before being discarded.

next term

Continues to the next term for evaluation.

reject <message-type>

Discards a packet, sending an ICMP destination unreachable message. Rejected packets are available for logging and sampling. You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a TCP reset is returned (indicating the end of a TCP flow), if the packet is a TCP packet. Otherwise, nothing is returned.

routing-instance routing-instance

Routes the packet using the specified routing instance.
Action Modifiers

count counter-name

Counts the number of packets passing this term. The name can contain letters, numbers, and hyphens (-), and can be up to 24 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter.

forwarding-class class-name

Classifies the packet to the specified forwarding class.

log

Logs the packet's header information in the Routing Engine. You can access this information by entering the show firewall log command at the CLI.

loss-priority priority

Sets the scheduling priority of the packet. The priority can be low or high.

policer policer-name

Applies rate limits to the traffic using the named policer.

sample

Samples the traffic on the interface. Use this modifier only when traffic sampling is enabled. For more information, see the JUNOS Policy Framework Configuration Guide.

syslog

Records information in the system logging facility. This action can be used in conjunction with all options except discard.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]