Technical Documentation

Configuring Standard Firewall Filters

When you configure a standard firewall filter, you must configure the following components:

  • Protocol family for which you want to filter traffic.
  • Filter name.
  • At least one term, with a unique name for each term. A term is used to define match conditions that specify the fields or values that a packet must contain and actions to perform on traffic that matches the specified conditions.
  • One or more match conditions for each term.
  • Action for each term (recommended, because otherwise, packets are automatically accepted if they meet the configured match conditions).

To configure a firewall filter:

  1. Include the family family-name statement at the [edit firewall] hierarchy level to specify the protocol family for which you want to filter traffic.

    For family-name, specify one of the following:

    • inet—IPv4
    • inet6—IPv6
    • ccc—Layer 2 circuit cross-connects
    • mpls—MPLS
    • any—Protocol-independent (Use this protocol family to apply a firewall filter to a physical interface.)
    • vpls—VPLS
    • bridge—(MX Series Ethernet Services Routers only) Layer 2 bridging
  2. Include the filter filter-name statement at the [edit firewall family family-name] hierarchy level to specify a name for the firewall filter.

    The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

  3. Include the term term-name statement at the [edit firewall family family-name filter filter-name] hierarchy level to configure a term.

    Each firewall filter consists of one or more terms. For each term you specify one or more match conditions and one or more actions. The term name can contain letters, numbers, and hyphens (-) and can be up to 74 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

    You can specify multiple terms in a filter, effectively chaining together a series of match-action operations to apply to the packets on an interface.

  4. Include the from match-conditions statement at the [edit firewall family family-name filter filter-name term term-name] hierarchy level to specify the fields or values that the packet must contain (match conditions).

    For a match to occur, the packet must match all the conditions in the term. An individual match condition in a from statement can contain a list of values. For example, you can specify numeric range or multiple source and destination addresses. When a condition defines a list of values, a match occurs if any of the values matches the packet.

    Note: The from statement is optional. If you omit it, the actions specified in the term’s then statement are optional.

  5. Include the then actions statement at the [edit firewall family family-name filter filter-name term term-name hierarchy level] to specify an action to perform on traffic that matches the conditions specified in the term.

    Best Practice: We strongly recommend that you always explicitly configure an action in the then statement. If you do not, or if you omit the then statement entirely, packets that match the conditions in the from statement are automatically accepted.

    You can specify the following filter actions:

    • accept
    • count counter-name
    • discard
    • dscp code-point (family inet only)
    • forwarding-class class-name
    • ipsec-sa ipsec-sa (family inet only)
    • load-balance group-name (family inet only)
    • log (family inet and inet6 only)
    • logical-system logical-system-name (family inet and inet6 only)
    • loss-priority (high | medium-high | medium-low | low)
    • next term
    • next-hop-group group-name (family inet only)
    • policer policer-name
    • port-mirror (family bridge, ccc, inet, inet6, and vpls only)
    • prefix-action action-name (family inet only)
    • reject <message-type> (family inet and inet6 only)
    • routing-instance routing-instance-name (family inet and inet6 only)
    • sample (family inet, inet6, and mpls only)
    • service-filter-hit (service filters and family inet only)
    • syslog (family inet and inet6 only)
    • three-color-policer policer-name
    • topology topology-name (family inet and inet6 only)
    • traffic-class code-point (family inet6) only

    Note: You can specify only one of the following actions in a single term: accept, discard, logical-system logical-system-name, next term, reject, routing-instance routing-instance-name, or topology topology-name. You can, however, specify one of these actions with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog.


Published: 2010-04-15