Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding How a Firewall Filter Tests a Protocol

When examining match conditions in a firewall filter, a switch tests only the fields that you specify. It does not implicitly test any fields that you do not explicitly configure. For example, if you specify a match condition of source-port ssh, there is no implied test to determine if the protocol is TCP. In this case, the switch considers any packet that has a value of 22 (decimal) in the 2-byte field that follows a presumed IP header to be a match. To ensure that the term matches on TCP packets, you also specify an ip-protocol tcp match condition.

For the following match conditions, you should explicitly specify the protocol match condition in the same term:

  • destination-port—Specify protocol tcp or protocol udp.

  • icmp-code—Specify protocol icmp and icmp-type.

  • icmp-type—Specify protocol icmp or protocol icmp6.

  • source-port—Specify protocol tcp or protocol udp.

  • tcp-flags—Specify protocol tcp.