Technical Documentation

[edit firewall] Hierarchy Level

Several statements in the [edit firewall] hierarchy are valid at numerous locations within the hierarchy. To make the complete hierarchy easier to read, the repeated statements are listed in the following sections, which are referenced at the appropriate locations in Complete [edit firewall] Hierarchy.

Common Firewall Actions

This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.

  • [edit firewall family (any | bridge | ccc | inet | inet6 | mpls | vpls) filter filter-name term term-name then]
  • [edit firewall filter filter-name term term-name then]

The common firewall actions are as follows:

count counter-name;forwarding-class class-name;loss-priority (high | low | medium-high | medium-low);next term;policer policer-name;three-color-policer policer-name {(single-rate single-rate-policer-name | two-rate two-rate-policer-name);}

Common IP Firewall Actions

This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.

  • [edit firewall family inet filter filter-name term term-name then]
  • [edit firewall family inet6 filter filter-name term term-name then]
  • [edit firewall filter filter-name term term-name then]

The common IP firewall actions are as follows:

log;logical-system logical-system-name <routing-instance routing-instance-name> <topology topology-name>;port-mirror;port-mirror-instance instance-name;routing-instance routing-instance-name> <topology topology-name>;sample;service-filter-hit;syslog;topology topology-name;

Common IPv4 Firewall Actions

This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.

  • [edit firewall family inet filter filter-name term term-name then]
  • [edit firewall filter filter-name term term-name then]

The common IP version 4 (IPv4) firewall actions are as follows:

(accept | discard <accounting collector-name> | reject <administratively-prohibited | bad-host-tos | bad-network-tos | fragmentation-needed | host-prohibited | host-unknown | host-unreachable | network-prohibited | network-unknown | network-unreachable | port-unreachable | precedence-cutoff | precedence-violation | protocol-unreachable | source-host-isolated | source-route-failed | tcp-reset>);ipsec-sa sa-name;load-balance sa-name;next-hop-group group-name;prefix-action action-name;

Common IP Firewall Match Conditions

This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.

  • [edit firewall family inet dialer-filter filter-name term term-name from] (with the exceptions noted at this level in Complete [edit firewall] Hierarchy)
  • [edit firewall family inet filter filter-name term term-name from]
  • [edit firewall family inet6 dialer-filter filter-name term term-name from] (with the exceptions noted at this level in Complete [edit firewall] Hierarchy)
  • [edit firewall family inet6 filter filter-name term term-name from]
  • [edit firewall filter filter-name term term-name from]

The common IP firewall match conditions are as follows:

address {ip-prefix</prefix-length> <except>;}destination-address {ip-prefix</prefix-length> <except>;}destination-class [ class-names ] | destination-class-except [ class-names ]);(destination-port [ port-names ] | destination-port-except [ port-names ]);destination-prefix-list {list-name <except>;}(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);(icmp-code [ codes ] | icmp-code-except [ codes ]);(icmp-type [ types ] | icmp-type-except [ types ]);interface interface-name;(interface-group [ group-names ] | interface-group-except [ group-names ]);interface-set set-name;(loss-priority [ priorities ] | loss-priority-except [ priorities ]);(packet-length [ values ] | packet-length-except [ values ]);(port [ port-names ] | port-except [ port-names ]);prefix-list {list-name <except>;}service-filter-hit;source-address {ip-prefix</prefix-length> <except>;}(source-class [ class-names ] | source-class-except [ class-names ]);(source-port [ port-names ] | source-port-except [ port-names ]);source-prefix-list {list-name <except>;}tcp-established;tcp-flags flag;tcp-initial;

Common IPv4 Firewall Match Conditions

This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.

  • [edit firewall family inet dialer-filter filter-name term term-name from] (with the exceptions noted at this level in Complete [edit firewall] Hierarchy)
  • [edit firewall family inet filter filter-name term term-name from]
  • [edit firewall filter filter-name term term-name from]

The common IPv4 firewall match conditions are as follows:

(ah-spi [ values ] | ah-spi-except [ values ]);(dscp [ code-point-values ] | dscp-except [ code-point-values ]);(esp-spi [ values ] | esp-spi-except [ values ]);first-fragment;fragment-flags flag;(fragment-offset [ offsets ] | fragment-offset-except [ offsets ]);(ip-options [ option-names ] | ip-options-except [ option-names ]);is-fragment;(precedence [ precedence-names ] | precedence-except [ precedence-names ]);(protocol [ protocol-names ] | protocol-except [ protocol-names ]);(ttl [ ttl-values ] | ttl-except [ ttl-values ]);

Common Layer 2 Firewall Match Conditions

This section lists statements that are valid at the following hierarchy levels, and is referenced at those levels in Complete [edit firewall] Hierarchy instead of the statements being repeated.

  • [edit firewall family bridge filter filter-name term term-name from]
  • [edit firewall family vpls filter filter-name term term-name from]

The common Layer 2 firewall match conditions are as follows:

destination-mac-address {mac-address <except>;}(destination-port [ port-names ] | destination-port-except [ port-names ]);(dscp [ code-point-values ] | dscp-except [ code-point-values ]);(ether-type [ protocol-types ] | ether-type-except [ protocol-types ]);(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);(icmp-code [ codes ] | icmp-code-except [ codes ]);(icmp-type [ types ] | icmp-type-except [ types ]);(interface-group [ group-names ] | interface-group-except [ group-names ]);ip-address {ip-prefix</prefix-length> <except>;}ip-destination-address {ip-prefix</prefix-length> <except>;}(ip-precedence [ precedence-names ] | ip-precedence-except [ precedence-names ]);(ip-protocol [ protocol-names ] | ip-protocol-except [ protocol-names ]);ip-source-address ip-prefix</prefix-length>;(learn-vlan-1p-priority [ priorities ] | learn-vlan-1p-priority [ priorities ]);(learn-vlan-id [ vlan-ids ] | learn-vlan-id-except [ vlan-ids ]);(loss-priority [ priorities ] | loss-priority-except [ priorities ]);(port [ port-names ] | port-except [ port-names ]);source-mac-address {mac-address <except>;}(source-port [ port-names ] | source-port-except [ port-names ]);tcp-flags flag;(traffic-type [ broadcast known-unicast multicast unknown-unicast ] | traffic-type-except [ broadcast known-unicast multicast unknown-unicast ]);(user-vlan-1p-priority [ priorities ] | user-vlan--1p-priority [ priorities ]);(user-vlan-id [ vlan-ids ] | user-vlan-id-except [ vlan-ids ]);(vlan-ether-type [ protocol-types ] | vlan-ether-type-except [ protocol-types ]);

Complete [edit firewall] Hierarchy

firewall {family (any | bridge | ccc | inet | inet6 | mpls | vpls) {... the family subhierarchies appear after the main [edit firewall] hierarchy ...}filter filter-name {accounting-profile [ profile-names ];interface-specific;physical-interface-policer;term term-name {filter filter-name;from {... statements in Common IP Firewall Match Conditions AND    statements in Common IPv4 Firewall Match Conditions ...}then {... statements in Common Firewall Actions AND    statements in Common IP Firewall Actions AND    statements in Common IPv4 Firewall Actions ...}}}hierarchical-policer policer-name {aggregate {if-exceeding {bandwidth-limit bps;burst-size-limit bytes;}then {discard;forwarding-class class-name;loss-priority (high | low | medium-high | medium-low);}}premium {if-exceeding {bandwidth-limit bps;burst-size-limit bytes;}then {discard;}}}interface-set interface-set-name {interface-name;}load-balance-group group-name {next-hop-group [ group-names ];}policer policer-name {filter-specific;if-exceeding {(bandwidth-limit bps | bandwidth-percent percentage);burst-size-limit bytes;}logical-bandwidth-policer;logical-interface-policer;physical-interface-policer;then {discard;forwarding-class class-name;loss-priority (high | low | medium-high | medium-low);}}three-color-policer policer-name {action {loss-priority high then discard;}logical-interface-policer;single-rate {(color-aware | color-blind);committed-burst-size bytes;committed-information-rate bps;excess-burst-size bytes;}two-rate {(color-aware | color-blind);committed-burst-size bytes;committed-information-rate bps;peak-burst-size bytes;peak-information-rate bps;}}}  firewall {family any {filter filter-name {term term-name {from {(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);interface interface-name;interface-set set-name;(loss-priority [ priorities ] | loss-priority-except [ priorities ]);(packet-length [ values ] | packet-length-except [ values ]);}then {... statements in Common Firewall Actions PLUS ...(accept | discard);}}}}}  firewall {family bridge {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common Layer 2 Firewall Match Conditions ...}then {... statements in Common Firewall Actions PLUS ...(accept | discard);port-mirror;port-mirror-instance instance-name;}}}}}  firewall {family ccc {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);(interface-group [ group-names ] | interface-group-except [ group-names ]);(learn-vlan-1p-priority [ priorities ] | learn-vlan-1p-priority [ priorities ]);(loss-priority [ priorities ] | loss-priority-except [ priorities ]);(user-vlan-1p-priority [ priorities ] | user-vlan--1p-priority [ priorities ]);}then {... statements in Common Firewall Actions PLUS ...(accept | discard);port-mirror-instance instance-name;}}}}}  firewall {family ethernet-switching {filter filter-name {interface-specific;term term-name {from {destination-address {ip-prefix</prefix-length>;}destination-mac-address {mac-address;}destination-port [ port-names ];destination-prefix-list {list-name;}dot1q-tag [ tag-values ];dot1q-user-priority [ priority-values ];dscp [ code-point-values ];ether-type [ protocol-names ];fragment-flags flag;icmp-code [ codes ];icmp-type [ types ];interface interface-name;is-fragment;precedence [ precedence-names ];protocol [ protocol-names ];source-address {ip-prefix</prefix-length>;}source-mac-address {mac-address;}source-port [ port-names ];source-prefix-list {list-name;}tcp-established;tcp-flags flag;tcp-initial;vlan [ vlan-names ];}then {(accept | discard);analyzer analyzer-name;count counter-name;forwarding-class class-name;interface interface-name;log;loss-priority (high | low);policer policer-name;syslog;vlan vlan-name;}}}}}  firewall {family inet {dialer-filter filter-name {accounting-profile [ profile-names ];term term-name {from {... statements in Common IP Firewall Match Conditions AND    statements in Common IPv4 Firewall Match Conditions EXCEPT FOR ...(ah-spi [ values ] | ah-spi-except [ values ]);    # NOT valid at this level(destination-class [ class-names ] | destination-class-except [ class-names ]);    # NOT valid at this levelinterface interface-name;    # NOT valid at this level(loss-priority [ priorities ] | loss-priority-except [ priorities ]);    # NOT valid at this levelservice-filter-hit;    # NOT valid at this level(source-class [ class-names ] | source-class-except [ class-names ]);    # NOT valid at this level}then {(ignore | note);log;sample;syslog;}}}filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common IP Firewall Match Conditions AND    statements in Common IPv4 Firewall Match Conditions ...}then {... statements in Common Firewall Actions AND    statements in Common IP Firewall Actions AND    statements in Common IPv4 Firewall Actions ...}}}prefix-action name {count;destination-prefix-length prefix-length;filter-specific;policer policer-name;source-prefix-length prefix-length;subnet-prefix-length prefix-length;}service-filter filter-name {term term-name {from {address {ip-prefix</prefix-length>;}(ah-spi [ values ] | ah-spi-except [ values ]);destination-address {ip-prefix</prefix-length>;}(destination-port [ port-names ] | destination-port-except [ port-names ]);destination-prefix-list {list-name;}(esp-spi [ values ] | esp-spi-except [ values ]);first-fragment;fragment-flags flag;(fragment-offset [ offsets ] | fragment-offset-except [ offsets ]);(interface-group [ group-names ] | interface-group-except [ group-names ]);(ip-options [ option-names ] | ip-options-except [ option-names ]);is-fragment;(loss-priority [ priorities ] | loss-priority-except [ priorities ]);(port [ port-names ] | port-except [ port-names ]);prefix-list {list-name;}(protocol [ protocol-names ] | protocol-except [ protocol-names ]);source-address {ip-prefix</prefix-length>;}(source-port [ port-names ] | source-port-except [ port-names ]);source-prefix-list {list-name;}tcp-flags flag-name;}then {count counter-name;log;port-mirror;sample;(service | skip);}}}simple-filter filter-name {interface-specific;term term-name {from {destination-address ip-prefix</prefix-length>;destination-port port-name;forwarding-class [ class-names ];protocol protocol-name;source-address ip-prefix</prefix-length>;source-port port-name;}then {forwarding-class class-name;loss-priority (high | low | medium-high | medium-low);policer policer-name;}}}}}  firewall {family inet6 {dialer-filter filter-name {accounting-profile [ profile-names ];term term-name {from {... statements in Common IP Firewall Match Conditions PLUS ...(next-header [ protocol-types ] | next-header-except [ protocol-types ]);... BUT NOT ...(destination-class [ class-names ] | destination-class-except [ class-names ]);    # NOT valid at this level(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);    # NOT valid at this levelinterface interface-name;    # NOT valid at this level(interface-group [ group-names ] | interface-group-except [ group-names ]);    # NOT valid at this level(loss-priority [ priorities ] | loss-priority-except [ priorities ]);    # NOT valid at this levelservice-filter-hit;    # NOT valid at this level(source-class [ class-names ] | source-class-except [ class-names ]);    # NOT valid at this leveltcp-established;    # NOT valid at this leveltcp-flags flag;    # NOT valid at this leveltcp-initial;    # NOT valid at this level}then {(ignore | note);log;sample;syslog;}}}filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common IP Firewall Match Conditions PLUS ...(next-header [ protocol-types ] | next-header-except [ protocol-types ]);(traffic-class [ code-point-values ] | traffic-class-except [ code-point-values ]);}then {... statements in Common Firewall Actions AND    statements in Common IP Firewall Actions PLUS ...(accept | discard | reject <address-unreachable | administratively-prohibited | beyond-scope | fragmentation-needed | no-route | port-unreachable | tcp-reset>);}}}service-filter filter-name {term term-name {from {address {ip-prefix</prefix-length>;}(ah-spi [ values ] | ah-spi-except [ values ]);destination-address {ip-prefix</prefix-length>;}(destination-port [ port-names ] | destination-port-except [ port-names ]);destination-prefix-list {list-name;}(esp-spi [ values ] | esp-spi-except [ values ]);(interface-group [ group-names ] | interface-group-except [ group-names ]);(next-header [ protocol-types ] | next-header-except [ protocol-types ]);(port [ port-names ] | port-except [ port-names ]);prefix-list {list-name;}source-address {ip-prefix</prefix-length>;}(source-port [ port-names ] | source-port-except [ port-names ]);source-prefix-list {list-name;}tcp-flags flag-name;}then {count counter-name;log;port-mirror;sample;(service | skip);}}}}}  firewall {family mpls {dialer-filter filter-name {accounting-profile [ profile-names ];term term-name {from {(exp [ exp-bits ] | exp-except [ exp-bits ]);}then {(ignore | note);log;sample;syslog;}}}filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {(exp [ exp-bits ] | exp-except [ exp-bits ]);(forwarding-class [ class-names ] | forwarding-class-except [ class-names ]);interface interface-name;interface-set set-name;(loss-priority [ priorities ] | loss-priority-except [ priorities ]);}then {... statements in Common Firewall Actions PLUS ...(accept | discard);sample;}}}}}  firewall {family vpls {filter filter-name {accounting-profile [ profile-names ];interface-specific;term term-name {filter filter-name;from {... statements in Common Layer 2 Firewall Match Conditions ...}then {... statements in Common Firewall Actions PLUS ...(accept | discard);port-mirror;port-mirror-instance instance-name;}}}}}

Published: 2010-05-11