Example: Configuring a Filter to Match on IPv6 Flags

This example shows how to configure a filter to match on IPv6 TCP flags.

Requirements

No special configuration beyond device initialization is required before configuring stateless firewall filters.

Overview

In this example, you configure a filter to match on IPv6 TCP flags. You can use this example to configure IPv6 TCP flags in the SRX100, SRX210, SRX240, SRX650, and J Series devices.

Configuration

Step-by-Step Procedure

To configure a filter to match on IPv6 TCP flags:

  1. Include the family statement at the firewall hierarchy level, specifying inet6 as the protocol family.

    [edit]user@host# firewall family inet6

  2. Create the stateless firewall filter.

    [edit firewall family inet6]user@host# filter tcpfilt

  3. Define the first term for the filter.

    [edit edit firewall family inet6 filter tcpfilt]user@host# term 1

  4. Define the source address match conditions for the term.

    [edit firewall family inet6 filter tcpfilt term 1]user@host# from next-header tcp tcp-flags syn

  5. Define the actions for the term.

    [edit firewall family inet6 filter tcpfilt term 1 from next-header tcp tcp-flags syn]user@host# then count tcp_syn_pkt log accept
  6. If you are done configuring the device, commit the configuration.
    [edit]user@host# commit

Verification

To verify that the configuration is working properly, enter the show firewall filter tcpfilt command.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.