Firewall Filter Support on Loopback Interface
A loopback interface is a gateway for all the control traffic that enters the Routing Engine of the router. If you want to monitor this control traffic, you must configure a firewall filter on the loopback interface (lo0).
Loopback firewall filters are only applied to packets sent to the Routing Engine for
further processing. Both inet and inet6 family filters are supported, and you can apply a
firewall filter in the ingress and egress directions on the lo0 interface. However, only interface-specific instances of the firewall filter are supported.
For standard firewall filter match conditions, see Match Conditions for IPv4 Traffic (ACX Series Routers).
The firewall filter on lo0 handles the following exception packets in ingress direction:
TTL exception packets
Multicast packets having 224.0.0.x as the destination IP address
Broadcast packets
IP option packets
Although policer actions can be attached to loopback filters in the ingress direction, the exact behavior depends on the CPU RX queue configurations. For example, rate limiting in ingress direction (through policer configuration) occurs after any CPU rate limiters.
The following is a sample configuration for attaching a firewall to the loopback interface:
[edit interfaces]
lo0 {
unit 0 {
family <inet | inet6> {
filter {
input f1;
}
}
}
}
family <inet | inet6>{
filter f1 {
interface-specific; >> Mandatory Field.
term t1 {
from {
protocol ospf;
}
then {
count c1;
discard;
}
}
term t2 {
then {
count c2;
accept;
}
}
}
}