Configuring IPv6 Stateless Firewall Filters

Using the Configure Firewall Filters page, you can create filters,terms and define match conditions and actions for each filter term. For a description of match conditions and actions, see the Junos Policy Framework Configuration Guide.

The Configure Firewall Filters page displays existing firewall filters and allows you to add and modify filters.

The match criteria and actions configuration page allows you to set the match criteria and the resulting actions.

To configure a stateless firewall filter using the Configuration tab:

  1. In the J-Web interface, select Configure > Security > Filters.

    Note: After you make changes to the configuration in this window, you must commit the changes immediately for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes (J-Web Procedure) for details about all commit options.

  2. Select one of the following options on the Firewall Filters configuration page:
    • To edit IPv6 firewall filters and terms, select IPv6 Firewall Filters.

      Note: If you have existing IPv6 firewall configurations in both edit firewall filter and edit firewall family inet filter hierarchies, merge the two to one location. The J-Web firewall filter configuration feature supports configuration in one location only.

  3. Enter information into the Firewall Filters configuration pages, as described in Table 19.
  4. Click one of the following buttons on the Firewall Filters configuration main page:
    • To apply the configuration and stay in the current Firewall Filters configuration page, click Apply.
    • To apply the configuration and return to the main Configuration page, click OK.
    • To cancel your entries and return to the main configuration page, click Cancel.
  5. If the stateless firewall filter is not already assigned to an interface, see Assigning IPv4 and IPv6 Firewall Filters to Interfaces.

Table 19: Firewall Filters configuration Pages Summary

Field

Function

Your Action

IPv6 Filter Summary

Action column

Displays up and down arrows and an X, allowing you to delete or change the order of a filter or term. The order of an item is important because it determines the order in which corresponding actions are carried out.

To move an item upward, locate the item and click the up arrow from the same row.

To move an item downward, locate the item and click the down arrow from the same row.

To delete an item, locate the item and click the X from the same row.

Filter Name

Displays the name of the filter and, when expanded, lists the terms attached to the filter.

Displays the match conditions and actions that are set for each term.

Allows you to add more terms to a filter or modify filter terms.

To display the terms added to a filter, click the plus sign next to the filter name. This also displays the match conditions and actions set for the term.

To edit a filter, click the filter name. To edit a term, click the name of the term.

Search

Filter Name

Searches for existing filters by filter name.

To find a specific filter, type the name of the filter in the Filter Name box.

To list all filters with a common prefix or suffix, use the wildcard character (*) when typing the name of the filter. For example, te* lists all filters with a name starting with the characters te.

Term Name

Searches for existing terms by term name.

To find a specific term, type the name of the term in the Term Name box.

To list all terms with a common prefix or suffix, use the wildcard character (*) when typing the name of the term. For example, ra* lists all terms with a name starting with the characters ra.

Number of Items to Display

Specifies the number of filters or terms to display on one page.

To select the number of items to be displayed on one page, select a number from the list.

Add New IPv6 Filter

Name

Specifies the name for a new filter.

To name a filter, type a string of meaningful characters or integers that allow you to uniquely identify the filter.

Location

Positions the new filter in one of the following locations:

  • After Final IPv6 Filter—At the end of all filters.
  • After IPv6 Filter—After a specified filter.
  • Before IPv6 Filter—Before a specified filter.

To position the new filter:

  • At the end of all filters, select After Final IPv6 Filter.
  • After a specific filter, select After IPv6 Filter, then select a name from the filter name list.
  • Before a specific filter, select Before IPv6 Filter, then select a name from the filter name list.

Add

Adds a new filter name.

Opens the term summary page for this filter allowing you to add new terms to this filter.

To create a new filter and open the term summary page for this filter, click Add.

Add New IPv6 Term

Name

Defines a term for a specific filter.

To name a term, type a string of meaningful characters or integers that allow you to uniquely identify the term.

Location

Positions the new term in one of the following locations:

  • After Final IPv6 Term—At the end of all terms.
  • After IPv6 Term—After a specified term.
  • Before IPv6 Term—Before a specified term.

To position the new term:

  • At the end of all terms, select After Final IPv6 Term.
  • After a specific term, select After IPv6 Term, then select a name from the term name list.
  • Before a specific term, select Before IPv6 Term, then select a name from the term name list.

Add

Adds a term name for the specific filter.

Opens the Filter Term page allowing you to define the match conditions and the action for this term.

To add a term name and open the Filter Term page, click Add.

Match Source

Source Address

Specifies IP source addresses to be included in, or excluded from, the match condition.

Allows you to remove source IP addresses from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

To specify an IP source address, type an IP address and prefix length.

  • To include the address in the match condition, click Add.
  • To exclude the address from the match condition, select Except and then click Add.

To remove an IP source address from the match condition, select it and click Delete.

Source Prefix List

Specifies source prefix lists that you have already defined, to be included in the match condition.

Allows you to remove a prefix list from the match condition.

For information about defining prefix lists, see the Routing Policy Configuration Guide.

To include a predefined source prefix list in the match condition, type the prefix list name and click Add.

To remove a prefix list from the match condition, select it and click Delete.

Source Port

Specifies the source port type to be included in, or excluded from, the match condition.

Allows you to remove a source port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

To specify a known source port type, select the port from the port name list. To specify source port types that do not exist in the port name list, type the port name, number, or range.

  • To include the port in the match condition, click Add.
  • To exclude the port from the match condition, select Except and then click Add.

To remove a port type from the match condition, select it and click Delete.

Source Class

Specifies the source class to be included in, or excluded from, the match condition.

Allows you to remove a source class from the match condition.

To specify a known source class, select the source from the class name list. To specify source class that does not exist in the class name list, type the source name, number, or range.

  • To include the class in the match condition, click Add.
  • To exclude the class from the match condition, select Except then click Add.

To remove a class from the match condition, select it and click Delete.

Match Destination

Destination Address

Specifies destination addresses to be included in, or excluded from, the match condition.

Allows you to remove a destination IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses, and also search for them.

To specify a destination IP address, type an IP address and prefix length.

  • To include the address in the match condition, click Add.
  • To exclude the address from the match condition, select Except and then click Add.

To remove an IP address from the match condition, select it and click Delete.

Destination Prefix List

Specifies destination prefix lists that you have already defined, to be included in the match condition.

Allows you to remove a prefix list from the match condition.

For information about defining prefix lists, see the Junos Policy Framework Configuration Guide.

To include a predefined destination prefix list, type the prefix list name and click Add.

To remove a prefix list from the match condition, select it and click Delete.

Destination Port

Specifies destination port types to be included in, or excluded from, the match condition.

Allows you to remove a destination port type from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

To specify a known destination port type, select the port from the port name list. To specify source port types that do not exist in the port name list, type the port name, number, or range.

  • To include the port in the match condition, click Add.
  • To exclude the port from the match condition, select Except then click Add.

To remove a destination port type from the match condition, select it and click Delete.

Destination Class

Specifies destination class to be included in, or excluded from, the match condition.

Allows you to remove a destination class from the match condition.

To specify a known destination class, select the class from the class name list. To specify source class that does not exist in the port name list, type the class name, number, or range.

  • To include the class in the match condition, click Add.
  • To exclude the class from the match condition, select Except then click Add.

To remove a destination class from the match condition, select it and click Delete.

Match Source or Destination

Address

Specifies IP addresses to be included in, or excluded from, the match condition for a source or destination.

Allows you to remove an IP address from the match condition.

If you have more than 25 addresses, this field displays a link that allows you to easily scroll through pages, change the order of addresses and also search for them.

Note: This address match condition cannot be specified in conjunction with the source address or destination address match conditions in the same term.

To specify a source or destination IP address, type the IP address and prefix length.

  • To include the address in the match condition, click Add.
  • To exclude the address from the match condition, select Except then click Add.

To remove an IP address from the match condition, select it and click Delete.

Prefix List

Specifies prefix lists that you have already defined, to be included in the match condition for a source or destination.

Allows you to remove a prefix list from the match condition.

For information about defining prefix lists, see the Junos Policy Framework Configuration Guide.

Note: This prefix list match condition cannot be specified in conjunction with the source prefix list or destination prefix list match conditions in the same term.

To include a predefined prefix list in the match condition, type the prefix list name and click Add.

To remove a prefix list from the match condition, select it and click Delete.

Port

Specifies a port type to be included in, or excluded from, a match condition for a source or destination.

Allows you to remove a port from the match condition.

Note: This match condition does not check the protocol type being used on the port. Make sure to specify the protocol type (TCP or UDP) match condition in the same term.

Also, this port match condition cannot be specified in conjunction with the source port or destination port match conditions in the same term.

To specify a known port type in the match condition, select the port from the port name list. To specify port types not included in the port name list, type the port name, number, or range.

  • To include the port in the match condition, click Add.
  • To exclude the port from the match condition, select Except then click Add.

To remove a port from the match condition, select it and click Delete.

Match Interface

Interface

Specifies interfaces to be included in a match condition.

Allows you to remove an interface from the match condition.

To include an interface in a match condition, either select a name from the interface name list or type the interface name and click Add.

To remove an interface from the match condition, select it and click Delete.

Interface Set

Specifies interface sets that you have already defined, to be included in a match condition.

Allows you to remove an interface set from the match condition.

For information about defining interface sets, see the Junos Policy Framework Configuration Guide.

To include a predefined interface set in a match condition, type the interface set name and click Add.

To remove an interface set from the match condition, select it and click Delete.

Interface Group

Specifies interface groups, that you have already defined, to be included in, or excluded from, a match condition.

Allows you to remove an interface group from the match condition.

For information about defining interface groups, see the Junos Policy Framework Configuration Guide.

To specify a predefined interface group, type the name of the group.

  • To include the group in the match condition, click Add.
  • To exclude the group from the match condition, select Except and then click Add.

To remove an interface group from the match condition, select it and click Delete.

Match Packet and Network

TCP Established

Matches all TCP packets other than the first packet of a connection.

Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.

To match all TCP packets except the first of a connection, select the check box.

TCP Initial

Matches the first TCP packet of a connection.

Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.

To match the first TCP packet of a connection, select the check box.

TCP Flags

Specifies TCP flags to be included in the match condition.

Note: This match condition does not verify that the TCP protocol is used on the port. Make sure to specify the TCP protocol as a match condition in the same term.

To specify a TCP flag, type a text or numeric string defining the flag; for example, syn or 0x02.

Next Header

Specifies IPv6 protocol types to be included in, or excluded from, the match condition.

Allows you to remove an IPv6 protocol type from the match condition.

To specify an IPv6 protocol type, select a protocol name from the list or type the protocol name or number; for example, igmp or 2.

  • To include the protocol in the match condition, click Add.
  • To exclude the protocol from the match condition, select Except and then click Add.

To remove an IPv6 protocol type from the match condition, select it and click Delete.

ICMP Type

Specifies ICMP packet types to be included in, or excluded from, the match condition.

Allows you to remove an ICMP packet type from the match condition.

Note: This protocol does not verify that ICMP is used on the port. Make sure to specify an ICMP type match condition in the same term.

To specify an ICMP packet type, select a packet type from the list or type a packet type name or number; for example, time-exceeded or 11.

  • To include the packet type in the match condition, click Add.
  • To exclude the packet type from the match condition, select Except and then click Add.

To remove an ICMP packet type from the match condtition, select it and click Delete.

ICMP Code

Specifies the ICMP code to be included in, or excluded from, the match condition.

Allows you to remove an ICMP code from the match condition.

Note: The ICMP code is dependent on the ICMP type. Make sure to specify an ICMP type match condition in the same term.

To specify an ICMP code, select a packet code from the list or type the packet code as text or a number; for example, ip-header-bad or 0.

  • To include the ICMP code in the match condition, click Add.
  • To exclude the ICMP code from the match condition, select Except and then click Add.

To remove an ICMP code from the match condition, select it and click Delete.

Traffic Class

Specifies Differentiated Services code points (DSCPs) to be included in, or excluded from, the match condition.

Allows you to remove a DSCP value from the match condition.

To specify a DSCP, select it from the list or type the DSCP value as a keyword, decimal, or binary string; for example, af11 or 10.

  • To include the DSCP in the match condition, click Add.
  • To exclude the DSCP from the match condition, select Except and then click Add.

To remove a DSCP from the match condition, select it and click Delete.

Packet Length

Specifies the length of received packets, in bytes, to be included in, or excluded from, the match condition.

Allows you to remove a packet length value from the match condition.

To specify a packet length, type a value or range.

  • To include the packet length in the match condition, click Add.
  • To exclude the packet length from the match condition, select Except and then click Add.

To remove a packet length value from the match condition, select it and click Delete.

Forwarding Class

Specifies forwarding classes to be included in, or excluded from, the match condition.

Allows you to a remove forwarding class entry from the match condition.

To specify a forwarding class, select it from the list or type it.

  • To include the forwarding class in the match condition, click Add.
  • To exclude the forwarding class from the match condition, select Except and then click Add.

To remove a forwarding class from the match condition, select it and click Delete.

Action

Nothing

No action is performed. By default, a packet is accepted if it meets the match conditions of the term, and packets that do not match any conditions in the firewall filter are dropped.

To specify no action (or the default action), select Nothing.

Accept

Accepts a packet that meets the match conditions of the term.

To accept the packet, select Accept.

Discard

Discards a packet that meets the match conditions of the term.

To discard a packet, select Discard.

Reject

Rejects a packet that meets the match conditions of the term and returns a rejection message.

Allows you to specify a message type that denotes the reason the packet was rejected.

Note: To log and sample rejected packets, specify the Log action modifier in conjunction with this action.

To reject a packet, select Reject.

To specify a message type, select the message from the Reason list.

Next Term

Evaluates a packet with the next term in the filter if the packet meets the match conditions in this term.

This action makes sure that the next term is used for evaluation even when the packet matches the conditions of a term.

When this action is not specified, the filter stops evaluating the packet after it matches the conditions of a term, and takes the associated action.

To continue to the next term, select Next Term.

Routing Instance

Accepts a packet that meets the match conditions, and forwards it to the specified routing instance.

To specify a routing instance, select Routing Instance and type the routing instance name in the box next to Routing Instance.

Other Actions

Forwarding Class

Classifies the packet as a specific forwarding class.

To specify a forwarding class, select it from the list.

Count

Counts the packets passing this term.

Allows you to name a counter, which is specific to this filter. This means that every time a packet transits any interface that uses this filter, it increments the specified counter.

To count packets passing this term, select Count.

To specify a counter name, type a 24–character string containing letters, numbers, or hyphens.

Log

Logs the packet header information in the Routing Engine.

To log packet header information, select Log.

Syslog

Records packet information in the system log.

To record information in the system log, select Syslog.

Port Mirror

Sends a copy of the packet to an external host address or a packet analyzer for analysis.

To send a copy of the packet, select Port Mirror.

Loss Priority

Sets the loss priority of the packet. This is the priority of dropping a packet before it is sent, and it affects the scheduling priority of the packet.

For more information, see the Junos OS Class of Service Configuration Guide.

To set the loss priority of the packet, select a loss priority from the list.