Understanding Firewall Filter Match Conditions
Before you define terms for firewall filters, you must understand how the conditions in a term are handled and how to specify interface, numeric, address, and bit-field filter match conditions to achieve the desired filter results.
Filter Match Conditions
In the from
statement of a firewall filter term, you specify the conditions that the packet must match for the action in the then
statement to be taken. All conditions must match for the action to be implemented. The order
in which you specify match conditions is not important, because a packet must match all the
conditions in a term for a match to occur.
If you specify multiple values for the same condition, a match on any one of those values
matches that condition. For example, if you specify multiple IP source addresses using the source-address
statement, a packet that contains any one of those IP source addresses
matches the condition. In some cases you can specify multiple values for the same condition
by enclosing the possible values in square brackets, as in:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set protocol (icmp | udp)
In other cases you must enter multiple statements, as in:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-address 10.1.1.1 user@switch# set source-address 10.1.1.2
If you specify no match conditions in a term, that term matches all packets.
Unlike traditional Junos OS firewall filters, you cannot use except
in a
condition statement to negate the condition.
Numeric Filter Match Conditions
You can specify numeric filter match conditions that are identified by a numeric value, such as port and protocol numbers. For numeric filter match conditions, you specify the condition and a single value that a field in a packet must contain to be considered a match.
You can specify the numeric value in one of the following ways:
Single number—A match occurs if the value of the field matches the number. For example, to match Telnet traffic:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-port 23
Text synonym for a single number—A match occurs if the value of the field matches the number that corresponds to the synonym. For example, to match Telnet traffic:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-port telnet
To specify multiple values for the same match condition in a filter term, enter each value in its own match statement. For example, a match occurs in the following term if the value of the source port in the packet is 22 or 23.
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-port 22 user@switch# set source-port 23
Interface Filter Match Conditions
You can specify an interface filter match condition to match an interface on which a packet is received or transmitted. For example, if you apply a filter to a VLAN you might want the filter to match on some interfaces that participate in the VLAN and not match on other interfaces in the VLAN. When you specify the name of the interface, you must include a logical unit.
[edit firewall family family-name filter filter-name term term-name from] user@switch# set interface ge-0/0/6.0
In this example, the final character (0
) specifies the logical unit. You
can include the wildcard (*
) as part of the interface name. For example:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set interface ge-0/*/6.0 user@switch# set interface ge-0/1/*.0 user@switch# set interface ge-0/0/6.*
Note that you must specify a value or a wildcard for the logical unit.
IP Address Filter Match Conditions
You can specify an address filter match condition to match an IP source or destination address or prefix in a packet. Specify the address or prefix type and the address or prefix itself. For example:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-address 10.2.1.0/24;
If you omit the prefix length, it defaults to /32
. For example:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-address 10 [edit firewall family family-name filter filter-name term term-name from] user@switch# show destination-address { 10.0.0.0/32; }
To specify more than one IP address or prefix in a filter term, enter each address or prefix in its own match statement. For example, a match occurs in the following term if the source address of a packet matches either of the following prefixes:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-address 10.1.0.0/16 user@switch# set source-address 10.2.0.0/16
MAC Address Filter Match Conditions
You can specify a MAC address filter match condition to match a source or destination MAC address. You specify the address type and value that a packet must contain to be considered a match.
You can specify the MAC address as six hexadecimal bytes in any of the following formats:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-mac-address 00:11:22:33:44:55
[edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-mac-address 0011.2233.4455
[edit firewall family family-name filter filter-name term term-name from] user@switch# set destination-mac-address 001122334455
Regardless of the formats you use, the system resolves the address to the standard format, in this case 00:11:22:33:44:55.
To specify more than one MAC address in a filter term, enter each MAC address in its own match statement. For example, a match occurs in the following term if the value of the MAC source address matches either of the following addresses:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set source-mac-address 00:11:22:33:44:55 user@switch# set source-mac-address 00:11:22:33:20:15
Bit-Field Filter Match Conditions
You can specify bit-field filter match conditions to match particular bits within certain fields in Ethernet frames and IP, TCP, UDP, and ICMP headers. You usually specify the field and the bit within the field that must be set in a packet to be considered a match.
In most cases you can use a keyword to specify the bit you want to match on. For example,
to match on a TCP SYN packet you can enter syn
, as in:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags syn
You can also enter 0x02
because the SYN bit is the third least-significant
bit of the 8-bit tcp-flags field:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags 0x02
To match multiple bit-field values, use the logical operators, which are described in Table 1. The operators are listed in order from highest precedence to lowest precedence. Operations are evaluated from left to right.
Logical Operators |
Description |
---|---|
|
Negation |
|
Logical AND |
|
Logical OR |
If you use a logical operator, enclose the values in quotation marks and do not include any spaces. For example, the following statement matches the second packet of a TCP handshake:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "syn&ack"
To negate a match, precede the value with an exclamation point. For example, the following statement matches only the initial packet of a TCP handshake:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-flags "syn&!ack"
You can use text synonyms to specify some common bit-field matches. For example, the following statement also matches the initial packet of a TCP handshake:
[edit firewall family family-name filter filter-name term term-name from] user@switch# set tcp-initial