Understanding Firewall Filter Match Conditions

Filter Match Conditions

In the from statement of a firewall filter term, you specify the conditions that the packet must match for the action in the then statement to be taken. All conditions must match for the action to be implemented. The order in which you specify match conditions is not important, because a packet must match all the conditions in a term for a match to occur.

If you specify multiple values for the same condition, a match on any one of those values matches that condition. For example, if you specify multiple IP source addresses using the source-address statement, a packet that contains any one of those IP source addresses matches the condition. In some cases you can specify multiple values for the same condition by enclosing the possible values in square brackets, as in:

In other cases you must enter multiple statements, as in:

If you specify no match conditions in a term, that term matches all packets.

Numeric Filter Match Conditions

You can specify numeric filter match conditions that are identified by a numeric value, such as port and protocol numbers. For numeric filter match conditions, you specify the condition and a single value that a field in a packet must contain to be considered a match.

You can specify the numeric value in one of the following ways:

• Single number—A match occurs if the value of the field matches the number. For example, to match Telnet traffic:

• Text synonym for a single number—A match occurs if the value of the field matches the number that corresponds to the synonym. For example, to match Telnet traffic:

• To specify multiple values for the same match condition in a filter term, enter each value in its own match statement. For example, a match occurs in the following term if the value of the source port in the packet is 22 or 23.

Interface Filter Match Conditions

You can specify an interface filter match condition to match an interface on which a packet is received or transmitted. In this example, the final character (0) specifies the logical unit. You can include the wildcard (*) as part of the interface name. For example:

Note that you must specify a value or a wildcard for the logical unit.

IP Address Filter Match Conditions

You can specify an address filter match condition to match an IP source or destination address or prefix in a packet. Specify the address or prefix type and the address or prefix itself. For example:

If you omit the prefix length, it defaults to /32. For example:

To specify more than one IP address or prefix in a filter term, enter each address or prefix in its own match statement. For example, a match occurs in the following term if the source address of a packet matches either of the following prefixes:

Bit-Field Filter Match Conditions

You can specify bit-field filter match conditions to match particular bits within certain fields in Ethernet frames and IP, TCP, UDP, and ICMP headers. You usually specify the field and the bit within the field that must be set in a packet to be considered a match.

In most cases you can use a keyword to specify the bit you want to match on. For example, to match on a TCP SYN packet you can enter syn, as in:

You can also enter 0x02 because the SYN bit is the third least-significant bit of the 8-bit tcp-flags field:

To match multiple bit-field values, use the logical operators, which are described in Table 1. The operators are listed in order from highest precedence to lowest precedence. Operations are evaluated from left to right.

If you use a logical operator, enclose the values in quotation marks and do not include any spaces. For example, the following statement matches the second packet of a TCP handshake:

To negate a match, precede the value with an exclamation point. For example, the following statement matches only the initial packet of a TCP handshake:

You can use text synonyms to specify some common bit-field matches. For example, the following statement also matches the initial packet of a TCP handshake: