Understanding How a Firewall Filter Tests a Protocol
When examining match conditions in a firewall filter, a switch tests only the fields that you specify. It does not implicitly test any fields
that you do not explicitly configure. For example, if you specify a match condition of source-port ssh
, there is no implied test to determine if the protocol is TCP. In this
case, the switch considers any packet that has a value of 22
(decimal) in the 2-byte
field that follows a presumed IP header to be a match. To ensure that
the term matches on TCP packets, you also specify an ip-protocol tcp
match condition.
For the following match conditions, you should explicitly specify the protocol match condition in the same term:
destination-port
—Specify protocoltcp
or protocoludp
.icmp-code
—Specify protocolicmp
andicmp-type
.icmp-type
—Specify protocolicmp
or protocolicmp6
.source-port
—Specify protocoltcp
or protocoludp
.tcp-flags
—Specify protocoltcp
.