Guidelines for Configuring Firewall Filters
This topic covers the following information:
Statement Hierarchy for Configuring Firewall Filters
To configure a standard firewall filter, you can include the following statements.
For an IPv4 standard firewall filter, the family inet
statement is
optional. For an IPv6 standard firewall filter, the family inet6
statement is mandatory.
firewall { family family-name { filter filter-name { accounting-profile name; instance-shared; interface-specific; physical-interface-filter; term term-name { filter filter-name; } term term-name { from { match-conditions; ip-version ip-version { match-conditions; protocol (tcp | udp) { match conditions; } } } then { actions; } } } } }
You can include the firewall configuration at one of the following hierarchy levels:
-
[edit]
-
[edit logical-systems logical-system-name]
For stateless firewall filtering, you must allow the output tunnel traffic through the firewall filter applied to input traffic on the interface that is the next-hop interface toward the tunnel destination. The firewall filter affects only the packets exiting the router (or switch) by way of the tunnel.
On ACX7100 platforms, VPLS firewall filters are configured under
family
ethernet-switching
and not under family
VPLS
. Management filters are configured at family
inet
or inet6
and the syntax is of this
form:
set interfaces re0:mgmt-0 unit logical-unit-number family family-name
filter input filter-name.
Firewall Filter Protocol Families
A firewall filter configuration is specific to a particular
protocol family. Under the firewall
statement, include
one of the following statements to specify the protocol family for
which you want to filter traffic:
family any
—To filter protocol-independent traffic.family inet
—To filter Internet Protocol version 4 (IPv4) traffic.family inet6
—To filter Internet Protocol version 6 (IPv6) traffic.family mpls
—To filter MPLS traffic.family vpls
—To filter virtual private LAN service (VPLS) traffic.family ccc
—To filter Layer 2 circuit cross-connection (CCC) traffic.family bridge
—To filter Layer 2 bridging traffic for MX Series 3D Universal Edge Routers only.family ethernet-switching
—To filter Layer 2 (Ethernet) traffic.
The family family-name
statement
is required only to specify a protocol family other than IPv4. To
configure an IPv4 firewall filter, you can configure the filter at
the [edit firewall]
hierarchy level without including
the family inet
statement, because the [edit
firewall]
and [edit firewall family inet]
hierarchy
levels are equivalent.
For bridge family filter, the ip-protocol match criteria is supported only for IPv4 and not for IPv6. This is applicable for line cards that support the Junos Trio chipset such as the MX 3D MPC line cards.
Firewall Filter Names and Options
Under the family family-name
statement, you can include filter filter-name
statements to create and name firewall filters. The filter
name can contain letters, numbers, and hyphens (-) and be up to 64
characters long. To include spaces in the name, enclose the entire
name in quotation marks (“ ”).
At the [edit firewall family family-name filter filter-name]
hierarchy level,
the following statements are optional:
accounting-profile
instance-shared
(MX Series routers with Modular Port Concentrators (MPCS) only)interface-specific
physical-interface-filter
Firewall Filter Terms
Under the filter filter-name
statement, you can include term term-name
statements to create and name filter terms.
You must configure at least one term in a firewall filter.
You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the
insert
configuration mode command to reorder the terms of a firewall filter.
At the [edit firewall family family-name filter filter-name term term-name]
hierarchy level, the filter filter-name
statement is not valid in the same term as from
or then
statements. When included at this hierarchy level,
the filter filter-name
statement is
used to nest firewall filters.
Firewall Filter Match Conditions
Firewall filter match conditions are specific to the type of traffic being filtered.
With the exception of MPLS-tagged IPv4 or IPv6 traffic, you
specify the term’s match conditions under the from
statement. For MPLS-tagged IPv4 traffic, you specify the term’s
IPv4 address-specific match conditions under the ip-version ipv4
statement and the term’s IPv4 port-specific match conditions
under the protocol (tcp | udp)
statement.
For MPLS-tagged IPv6 traffic, you specify the term’s IPv6
address-specific match conditions under the ip-version ipv6
statement and the term’s IPv6 port-specific match conditions
under the protocol (tcp | udp)
statement.
Table 1 describes the types of traffic for which you can configure firewall filters.
Traffic Type |
Hierarchy Level at Which Match Conditions Are Specified |
---|---|
Protocol-independent |
For the complete list of match conditions, see Firewall Filter Match Conditions for Protocol-Independent Traffic. |
IPv4 |
For the complete list of match conditions, see Firewall Filter Match Conditions for IPv4 Traffic. |
IPv6 |
For the complete list of match conditions, see Firewall Filter Match Conditions for IPv6 Traffic. |
MPLS |
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS Traffic. |
IPv4 addresses in MPLS flows |
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
IPv4 ports in MPLS flows |
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
IPv6 addresses in MPLS flows |
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
IPv6 ports in MPLS flows |
For the complete list of match conditions, see Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
VPLS |
For the complete list of match conditions, see Firewall Filter Match Conditions for VPLS Traffic. |
Layer 2 CCC |
For the complete list of match conditions, see Firewall Filter Match Conditions for Layer 2 CCC Traffic. |
Layer 2 Bridging (MX Series routers and EX Series switches only) |
For the complete list of match conditions, see Firewall Filter Match Conditions for Layer 2 Bridging Traffic. |
If
you specify an IPv6 address in a match condition (the address
, destination-address
, or source-address
match
conditions), use the syntax for text representations described in
RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see IPv6 Overview and Supported IPv6 Standards.
Firewall Filter Actions
Under the then
statement for a firewall filter term,
you can specify the actions to be taken on a packet that matches the
term.
Table 2 summarizes the types of actions you can specify in a firewall filter term.
Type of Action |
Description |
Comment |
---|---|---|
Terminating |
Halts all evaluation of a firewall filter for a specific packet. The router (or switch) performs the specified action, and no additional terms are used to examine the packet. You can specify only one terminating action in a firewall
filter term. If you try to specify more than one terminating
action within the filter term then the latest
terminating action will replace the existing
terminating action. You can, however, specify one
terminating action with one or more nonterminating
actions in a single term. For example, within a term,
you can specify |
|
Nonterminating |
Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet. |
All nonterminating actions include an implicit accept action. This accept action is carried out if no other terminating action is configured in the same term. |
Flow control |
For standard firewall filters only, the For example, when you configure a term with the nonterminating
action |
You cannot configure the A maximum of 1024 Note:
On Junos OS Evolved, |