Guidelines for Configuring Simple Filters
Statement Hierarchy for Configuring Simple Filters
To configure a simple filter, include the simple-filter simple-filter-name
statement at the [edit firewall family inet]
hierarchy level.
[edit] firewall { familyinet
{simple-filter
simple-filter-name { term term-name { from { match-conditions; } then { actions; } } } } }
Individual statements supported under the simple-filter simple-filter-name
statement are described separately in this topic and are illustrated in the example of configuring and applying a simple filter.
Simple Filter Protocol Families
You can configure simple filters to filter IPv4 traffic (family inet
) only. No other protocol family is supported for simple filters.
Simple Filter Names
Under the family inet
statement, you can include simple-filter simple-filter-name
statements to create and name simple filters. The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
Simple Filter Terms
Under the simple-filter simple-filter-name
statement, you can include term term-name
statements to create and name filter terms.
You must configure at least one term in a firewall filter.
You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the
insert
configuration mode command to reorder the terms of a firewall filter.
Simple filters do not support the next term
action.
Simple Filter Match Conditions
Simple filter terms support only a subset of the IPv4 match conditions that are supported for standard stateless firewall filters.
Unlike standard stateless firewall filters, the following restrictions apply to simple filters:
On MX Series routers with the Enhanced Queuing DPC and on EX Series switches, simple filters do not support the
forwarding- class
match condition.Simple filters support only one
source-address
and onedestination-address
prefix for each filter term. If you configure multiple prefixes, only the last one is used.Simple filters do not support multiple source addresses and destination addresses in a single term. If you configure multiple addresses, only the last one is used.
Simple filters do not support negated match conditions, such as the
protocol-except
match condition or theexception
keyword.Simple filters support a range of values for
source-port
anddestination-port
match conditions only. For example, you can configuresource-port 400-500
ordestination-port 600-700
.Simple filters do not support noncontiguous mask values.
Table 1 lists the simple filter match conditions.
Match Condition |
Description |
---|---|
|
Match IP destination address. |
|
TCP or UDP destination port field. If you configure this match condition, we recommend that you also configure the In place of the numeric value, you can specify one of the following text aliases (the port numbers are also listed): |
|
Match the forwarding class of the packet. Specify For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues. |
|
IP protocol field. In place of the numeric value, you can specify one of the following text aliases (the field values are also listed): |
|
Match the IP source address. |
|
Match the UDP or TCP source port field. If you configure this match condition, we recommend that you also configure the In place of the numeric field, you can specify one of the text aliases listed for |
Simple Filter Terminating Actions
Simple filters do not support explicitly configurable terminating actions, such as accept
, reject
, and discard
. Terms configured in a simple filter always accept packets.
Simple filters do not support the next
action.
Simple Filter Nonterminating Actions
Simple filters support only the following nonterminating actions:
forwarding-class (forwarding-class | assured-forwarding |best-effort | expedited-forwarding | network-control)
Note:On the MX Series routers and EX Series switches with the Enhanced Queuing DPC, the forwarding class is not supported as a
from
match condition.loss-priority (high | low | medium-high | medium-low)
Simple filters do not support actions that perform other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality).