Technical Documentation

Configuring Firewall Filters

This section shows the complete set of statements that can be configured at the [edit firewall] hierarchy level to create a firewall filter.

[edit firewall]family family-name {filter filter-name {accounting-profile name;interface-specific;physical-interface-filter;term term-name {filter filter-name;from {match-conditions;}then {action;action-modifiers;}}}service-filter filter-name {term term-name {from {match-conditions;}then {action;action-modifiers;}}}simple-filter filter-name {term term-name {from {match-conditions;}then {action;action-modifiers;}}}}

To configure an IPv4 firewall filter, you can configure the filter at the [edit firewall] hierarchy level without including the family inet statement. The [edit firewall] and [edit firewall filter family inet] hierarchies are equivalent. The family family-name statement is required only to specify a protocol family other than IPv4.

Note: For stateless firewall filtering, you must allow the output tunnel traffic through the firewall filter applied to input traffic on the interface that is the next-hop interface towards the tunnel destination. The firewall filter affects only the packets exiting the router by way of the tunnel.

Published: 2010-04-15