Guidelines for Applying Standard Firewall Filters
Applying Firewall Filters Overview
You can apply a standard firewall filter to a loopback interface on the router or to a physical or logical interface on the router. You can apply a firewall filter to a single interface or to multiple interfaces on the router.Table 1 summarizes the behavior of firewall filters based on the point to which you attach the filter.
Filter Attachment Point |
Filter Behavior |
---|---|
Loopback interface |
The router’s loopback interface, Note:
|
Physical interface or logical interface |
When you apply a filter to a physical interface on the router or to a logical interface (or member of an aggregated Ethernet bundle defined on the interface), the filter evaluates all data packet that pass through that interface. |
Multiple interfaces |
You can use the same firewall filter one or more times. On M Series routers, except the M120 and M320 routers, if you apply a firewall filter to multiple interfaces, the filter acts on the sum of traffic entering or exiting those interfaces. On T Series, M120, M320, and MX Series routers, interfaces are distributed among multiple packet-forwarding components. On these routers, you can configure firewall filters and service filters that, when applied to multiple interfaces, act on the individual traffic streams entering or exiting each interface, regardless of the sum of traffic on the multiple interfaces. For more information, see Interface-Specific Firewall Filter Instances Overview. |
Single interface with protocol-independent and protocol-specific firewall filters attached |
For interfaces hosted on the following hardware only, you can
attach a protocol-independent (
Note:
Interfaces hosted on the following hardware do not support protocol-independent firewall filters:
|
Statement Hierarchy for Applying Firewall Filters
To apply a standard firewall filter to a logical interface,
configure the filter
statement for the logical interface defined
under either the [edit]
or [edit logical-systems logical-system-name]
hierarchy level. Under the filter
statement, you can include one or more of the following
statements: group group-number
, input filter-name
, input-list filter-name
, output filter-name
, or output-list filter-name
. The hierarchy level at which you attach the filter
statement
depends on the filter type and device type you are configuring.
- Protocol-Independent Firewall Filters on MX Series Routers
- All Other Firewall Filters on Logical Interfaces
Protocol-Independent Firewall Filters on MX Series Routers
To apply a protocol-independent firewall filter to a logical
interface on an MX Series router, configure the filter
statement directly under the logical unit:
interfaces { interface-name { unit logical-unit-number { filter { group group-number; input filter-name; input-list [ filter-names ]; output filter-name; output-list [ filter-names ]; } } } }
All Other Firewall Filters on Logical Interfaces
To apply a standard firewall filter to a logical interface for
all cases other than a protocol-independent
filter on an MX Series router, configure the filter
statement
under the protocol family:
interfaces { interface-name { unit logical-unit-number { family family-name { ... filter { group group-number; input filter-name; input-list [ filter-names ]; output filter-name; output-list [ filter-names ]; } } } } }
Restrictions on Applying Firewall Filters
- Number of Input and Output Filters Per Logical Interface
- MPLS and Layer 2 CCC Firewall Filters in Lists
- Layer 2 CCC Firewall Filters on MX Series Routers and EX Series Switches
- IPv6 Firewall Filters on PTX Series Packet Transport Routers
Number of Input and Output Filters Per Logical Interface
Input filters—Although you can use the same filter multiple times, you can apply only one input filter or one input filter list to an interface.
To specify a single firewall filter to be used to evaluate packets received on the interface, include the
input filter-name
statement in thefilter
stanza.To specify an ordered list of firewall filters to be used to evaluate packets received on the interface, include the
input-list [ filter-names ]
statement in thefilter
stanza. You can specify up to 16 firewall filters for the filter input list.
Output filters—Although you can use the same filter multiple times, you can apply only one output filter or one output filter list to an interface.
To specify a single firewall filter to be used to evaluate packets transmitted on the interface, include the
output filter-name
statement in thefilter
stanza.To specify an ordered list of firewall filters to be used to evaluate packets transmitted on the interface, include the
output-list [ filter-names ]
statement in thefilter
stanza. You can specify up to 16 firewall filters in a filter output list.
MPLS and Layer 2 CCC Firewall Filters in Lists
The input-list filter-names
and output-list filter-names
statements for
firewall filters for the ccc
and mpls
protocol
families are supported on all interfaces with the exception of the
following:
Management interfaces and internal Ethernet interfaces (
fxp
orem0
)Loopback interfaces (
lo0
)USB modem interfaces (
umd
)
Layer 2 CCC Firewall Filters on MX Series Routers and EX Series Switches
Only on MX Series routers and EX Series switches, you cannot
apply a Layer 2 CCC stateless firewall filter (a firewall filter
configured at the [edit firewall filter family ccc]
hierarchy
level) as an output filter. On MX Series routers and EX Series
switches, firewall filters configured for the family ccc
statement can be applied only as input filters.
IPv6 Firewall Filters on PTX Series Packet Transport Routers
On PTX10001-20C routers, you cannot apply IPv6 firewall filters to:
Tunnel interfaces
IRB interfaces
Egress interfaces
Interface-specific filters, configured at the
[edit firewall family inet6 filter filter-name]
hierarchy level.Traffic policers
Junos Telemetry Interface