Firewall Filter Match Conditions for IPv4 Traffic
You can configure a firewall filter with match conditions for Internet Protocol version 4
(IPv4) traffic (family inet
).
For MX Series routers with MPCs, you need to initialize the filter counter for
Trio-only match filters in the MIB by walking the corresponding SNMP MIB, for example, show snmp mib walk name ascii
. This forces Junos to learn the
filter counters, and ensures that the filter statistics are displayed (this is because the
first poll to filter statistics may not show all counters). This guidance applies to all enhanced
mode firewall filters, filters with flexible conditions, and filters with certain terminating
actions. See those topics, listed under Related Documentation, for details.
Table 1 describes the match-conditions
you can configure at the [edit firewall family inet filter
filter-name term term-name from]
hierarchy level.
Match Condition |
Description |
|
---|---|---|
|
Match the IPv4 source or destination address field
unless the |
|
|
Match the IPv4 destination address field unless
the You cannot specify both the |
|
|
Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition, we recommend that
you also configure the In place of the numeric value, you can specify one of the following
text synonyms (the port numbers are also listed): |
|
|
Do not match the UDP or TCP destination port field.
For details, see the |
|
|
Match destination prefixes in the specified list
unless the Specify the name of a prefix list defined at the |
|
|
Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. Support was added for filtering on Differentiated Services Code Point (DSCP) and forwarding class for Routing Engine sourced packets, including IS-IS packets encapsulated in generic routing encapsulation (GRE). Subsequently, when upgrading from a previous version of Junos OS where you have both a class of service (CoS) and firewall filter, and both include DSCP or forwarding class filter actions, the criteria in the firewall filter automatically takes precedence over the CoS settings. The same is true when creating new configurations; that is, where the same settings exist, the firewall filter takes precedence over the CoS, regardless of which was created first. You can specify a numeric value from In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
|
Do not match on the DSCP number. For more information,
see the |
|
|
Match the IPsec encapsulating security payload (ESP) SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form. Note:
This match condition is not supported on PTX series routers. |
|
|
Match the IPsec ESP SPI value. Do not match on this specific SPI value. Note:
This match condition is not supported on PTX series routers. |
|
|
Match if the packet is the first fragment of a
fragmented packet. Do not match if the packet is a trailing fragment of a fragmented
packet. The first fragment of a fragmented packet has a fragment offset value of This match condition is an alias for the bit-field match condition To match both first and trailing fragments, you can use two terms that specify different
match conditions: |
|
|
|
Length of the data to be matched in bits, not needed for string input (0..128) |
|
Bit offset after the (match-start + byte) offset (0..7) |
|
|
Byte offset after the match start point |
|
|
Select a flexible match from predefined template field |
|
|
Mask out bits in the packet data to be matched |
|
|
Start point to match in packet |
|
|
Value data/string to be matched |
|
|
|
Length of the data to be matched in bits (0..32) |
|
Bit offset after the (match-start + byte) offset (0..7) |
|
|
Byte offset after the match start point |
|
|
Select a flexible match from predefined template field |
|
|
Start point to match in packet |
|
|
Range of values to be matched |
|
|
Do not match this range of values |
|
|
Match the forwarding class of the packet. Specify |
|
|
Do not match the forwarding class of the packet.
For details, see the |
|
|
(Ingress only) Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the following keywords (the
field values are also listed): |
|
|
Match the 13-bit fragment offset field in the IP
header. The value is the offset, in 8-byte units, in the overall datagram message to the data
fragment. Specify a numeric value, a range of values, or a set of values. An offset value
of The To match both first and trailing fragments, you can use two terms that specify different
match conditions ( |
|
|
Do not match the 13-bit fragment offset field. |
|
|
Match the ICMP message code field. Note:
When using this match condition, you should also use the term Allow _ICMP { from protocol icmp { icmp-code ip-header-bad; icmp-type echo-reply; } then { policer ICMP_Policier; count Allow_ICMP; You must also configure the In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|
|
Do not match the ICMP message code field. For details,
see the |
|
|
Match the ICMP message type field. Note:
When using this match condition, you should also use the term Allow _ICMP { from protocol icmp { icmp-code ip-header-bad; icmp-type echo-reply; } then { policer ICMP_Policier; count Allow_ICMP; You must also configure the Note:
For Junos OS Evolved, you must configure the In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed): |
|
|
Do not match the ICMP message type field. For details,
see the |
|
|
Match the 8-bit IP option field, if present, to the specified value or list of values. In place of a numeric value, you can specify one of the following text synonyms (the
option values are also listed): To match any value for the IP option, use the text synonym For example, the match condition For most interfaces, a filter term that specifies an
The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 100-Gigabit Ethernet MPC, 60-Gigabit
Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC
on MX Series routers are capable of parsing the IP option field of the IPv4 packet
header. For interfaces configured on those MPCs, all packets that are
matched using the Note:
|
|
|
Do not match the IP option field to the specified
value or list of values. For details about specifying the |
|
|
Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero. Note:
To match both first and trailing fragments, you can use two terms that specify
different match conditions ( |
|
|
Match the packet loss priority (PLP) level. Specify a single level or multiple levels: For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC
Concentrators (FPCs), you must include the
|
|
|
Do not match the PLP level. For details, see the |
|
|
Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched. |
|
|
Do not match the length of the received packet,
in bytes. For details, see the |
|
|
Match the UDP or TCP source or destination port field. If you configure this match condition, you cannot configure the If you configure this match condition, we recommend that
you also configure the In place of the numeric value, you can specify one of the text
synonyms listed under |
|
|
Do not match either the source or destination UDP
or TCP port field. For details, see the |
|
|
Match the IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms
(the field values are also listed): |
|
|
Do not match the IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms
(the field values are also listed): |
|
|
Match the prefixes of the source or destination
address fields to the prefixes in the specified list unless
the The prefix list is defined at the |
|
|
Match the IP protocol type field. In place of the
numeric value, you can specify one of the following text synonyms (the field values are also
listed): |
|
|
Do not match the IP protocol type field. In place
of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): |
|
|
Match a packet received from a filter where a |
|
|
Match the IPv4 address of the source node sending
the packet unless the You cannot specify both the |
|
|
Match the UDP or TCP source port field. You cannot specify the If you configure this match condition for IPv4 traffic,
we recommend that you also configure the In place of the numeric value, you can specify one of the text
synonyms listed with the |
|
|
Do not match the UDP or TCP source port
field. For details, see the |
|
|
Match source prefixes in the specified list
unless the Specify the name of a prefix list defined at the |
|
|
Match TCP packets of an established TCP session
(packets other than the first packet of a connection). This is an alias for This match condition does not implicitly check that the protocol is TCP. To check this,
specify the |
|
|
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the If you configure this match condition, we
recommend that you also configure the For IPv4 traffic only, this match condition does not implicitly check whether the
datagram contains the first fragment of a fragmented packet. To check for this condition for
IPv4 traffic only, use the |
|
|
Match the initial packet of a TCP connection. This
is an alias for This condition does not implicitly check that the protocol is TCP. If you configure
this match condition, we recommend that you also configure the |
|
|
Match the IPv4 time-to-live number. Specify a TTL
value or a range of TTL values. For |
|
|
Do not match on the IPv4 TTL number. For details,
see the |