Stateless Firewall Filter Application Points
After you define the firewall filter, you must apply it to an application point. These application points include logical interfaces, physical interfaces, routing interfaces, and routing instances.
In most cases, you can apply a firewall filter as an input filter or an output filter, or both at the same time. Input filters take action on packets being received on the specified interface, whereas output filters take action on packets that are transmitted through the specified interface.
You typically apply one filter with multiple terms to a single logical interface, to incoming traffic, outbound traffic, or both. However, there are times when you might want to chain together multiple firewall filters (with single or multiple terms) and apply them to an interface. You use an input list to apply multiple firewall filters to the incoming traffic on an interface. You use an output list to apply multiple firewall filters to the outbound traffic on an interface. You can include up to 16 filters in an input list or an output list.
There is no limit to the number of filters and counters you can set, but there are some practical considerations. More counters require more terms, and a large number of terms can take a long time to process during a commit operation. However, filters with more than 4000 terms and counters have been implemented successfully.
Table 1 describes each point to which you can apply a firewall filter. For each application point, the table describes the types of firewall filters supported at that point, the router (or switch) hierarchy level at which the filter can be applied, and any platform-specific limitations.
Filter Type |
Application Point |
Restrictions |
---|---|---|
Stateless firewall filter Configure by including the filter filter-name; Note:
If you do not include the |
Logical interface Apply at the filter { input filter-name; output filter-name; } Note:
A filter configured with the implicit Note:
On T4000 Type 5 FPCs, a filter attached at the Layer 2
application point (that is, at the logical interface level) is unable
to match with the forwarding class of a packet that is set by a Layer
3 classifier such as DSCP, DSCP V6, |
Supported on the following routers:
Also supported on the following Modular Port Concentrators (MPCs) on MX Series routers:
|
Stateless firewall filter Configure at the filter filter-name; The
|
Protocol family on a logical interface Apply at the filter { input filter-name; input-list [ filter-names ]; output filter-name; output-list [ filter-names ]; } |
The protocol family |
Stateless firewall filter |
Routing Engine loopback interface |
|
Service filter Configure at the service-filter service-filter-name; |
Family Apply at the service { input { service-set service-set-name service-filter filter-name; } output { service-set service-set-name service-filter filter-name; } } Configure a service set at the
|
Supported only on Adaptive Services (AS) and Multiservices (MS) PICs. |
Postservice filter Configure at the service-filter service-filter-name; |
Family Apply at the service { input { post-service-filter filter-name; } } |
A postservice filter is applied to traffic returning to the services interface after service processing. The filter is applied only if a service set is configured and selected. |
Simple filter Configure at the simple-filter filter-name |
Family Apply at the simple-filter simple-filter-name; |
Simple filters can only be applied as input filters. Supported on the following platforms only:
|
Reverse packet forwarding (RPF) check filter Configured at the filter filter-name; |
Family Apply at the rpf-check fail-filter filter-name to apply the stateless firewall filter as an RPF check filter. rpf-check { fail-filter filter-name; mode loose; } |
Supported on MX Series routers and EX Series switches only. |