Guidelines for Configuring Service Filters
Statement Hierarchy for Configuring Service Filters
To configure a service filter, include the service-filter service-filter-name
statement at the [edit firewall family (inet | inet6)]
hierarchy level:
[edit] firewall { family (inet
|inet6
) {service-filter
service-filter-name { term term-name { from { match-conditions; } then { actions; } } } } }
Individual statements supported under the service-filter service-filter-name
statement are described separately in this topic and are illustrated in the example of configuring and applying a service filter.
Service Filter Protocol Families
You can configure service filters to filter IPv4 traffic (family inet
) and IPv6 traffic (family inet6
) only. No other protocol families are supported for service filters.
Service Filter Names
Under the family inet
or family inet6
statement, you can include service-filter service-filter-name
statements to create and name service filters. The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
Service Filter Terms
Under the service-filter service-filter-name
statement, you can include term term-name
statements to create and name filter terms.
You must configure at least one term in a firewall filter.
You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the
insert
configuration mode command to reorder the terms of a firewall filter.
Service Filter Match Conditions
Service filter terms support only a subset of the IPv4 and IPv6 match conditions that are supported for standard stateless firewall filters.
If you specify an IPv6 address in a match condition (the address
, destination-address
, or source-address
match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see “IPv6 Overview” in the Junos OS Routing Protocols Library for Routing Devices.
Service Filter Terminating Actions
When configuring a service filter term, you must specify one of the following filter-terminating actions:
service
skip
These actions are unique to service filters.
Service filter terms support only a subset of the IPv4 and IPv6 nonterminating actions that are supported for standard stateless firewall filters:
count counter-name
log
port-mirror
sample
Service filters do not support the next action.