ON THIS PAGE
Firewall Filter Match Conditions Based on Address Fields
You can configure firewall filter match conditions that evaluate packet address fields—IPv4 source and destination addresses, IPv6 source and destination addresses, or media access control (MAC) source and destination addresses—against specified addresses or prefix values.
Implied Match on the ’0/0 except’ Address for Firewall Filter Match Conditions Based on Address Fields
Every firewall filter match condition based on a set of addresses or address prefixes is associated with an implicit match on the address 0.0.0.0/0 except (for IPv4 or VPLS traffic) or 0:0:0:0:0:0:0:0/0 except (for IPv6 traffic). As a result, any packet whose specified address field does not match any of the specified addresses or address prefixes fails to match the entire term.
Matching an Address Field to a Subnet Mask or Prefix
You can specify a single match condition to match a source address or destination address that falls within a specified address prefix.
- IPv4 Subnet Mask Notation
- Prefix Notation
- Default Prefix Length for IPv4 Addresses
- Default Prefix Length for IPv6 Addresses
- Default Prefix Length for MAC Addresses
IPv4 Subnet Mask Notation
For an IPv4 address, you can specify a subnet mask value rather than a prefix length. For example:
[edit firewall family inet filter filter_on_dst_addr term term3 from] user@host# set address 10.0.0.10/255.0.0.255
Prefix Notation
To specify the address prefix, use the notation prefix/prefix-length. In the following example, a match occurs if a destination address matches the prefix 10.0.0.0/8:
[edit firewall family inet filter filter_on_dst_addr term term1 from] user@host# set destination-address 10.0.0.0/8
Default Prefix Length for IPv4 Addresses
If you do not specify /prefix-length for an IPv4 address, the prefix length defaults to /32. The following example illustrates the default prefix value:
[edit firewall family inet filter filter_on_dst_addr term term2 from] user@host# set destination-address 10 user@host# show destination-address { 10.0.0.0/32; }
Default Prefix Length for IPv6 Addresses
If you do not specify /prefix-length for an IPv6 address, the prefix length defaults to /128. The following example illustrates the default prefix value:
[edit firewall family inet6 filter filter_on_dst_addr term term1 from] user@host# set destination-address ::10 user@host# show destination-address { ::10/128; }
Default Prefix Length for MAC Addresses
If you do not specify /prefix-length for a media access control (MAC) address of a VPLS, Layer 2 CCC, or Layer 2 bridging packet, the prefix length defaults to /48. The following example illustrates the default prefix value:
[edit firewall family vpls filter filter_on_dst_mac_addr term term1 from] user@host# set destination-mac-address 01:00:0c:cc:cc:cd user@host# show destination-address { 01:00:0c:cc:cc:cd/48; }
Matching an Address Field to an Excluded Value
For the address-field match conditions, you can include the except keyword to specify that a match occurs for an address field that does not match the specified address or prefix.
- Excluding IP Addresses in IPv4 or IPv6 Traffic
- Excluding IP Addresses in VPLS or Layer 2 Bridging Traffic
- Excluding MAC Addresses in VPLS or Layer 2 Bridging Traffic
- Excluding All Addresses Requires an Explicit Match on the ’0/0’ Address
Excluding IP Addresses in IPv4 or IPv6 Traffic
For the following IPv4 and IPv6 match conditions, you can include the except keyword to specify that a match occurs for an IP address field that does not match the specified IP address or prefix:
address address except—A match occurs if either the source IP address or the destination IP address does not match the specified address or prefix.
source-address address except—A match occurs if the source IP address does not match the specified address or prefix.
destination-address address except—A match occurs if the destination IP address does not match the specified address or prefix.
In the following example, a match occurs for any IPv4 destination addresses that fall under the 172.0.0.0/8 prefix, except for addresses that fall under 172.16.0.0/16. All other addresses implicitly do not match this condition.
[edit firewall family inet filter filter_on_dst_addr term term1 from] user@host# set destination-address 172.16.0.0/16 except user@host# set destination-address 172.0.0.0/8 user@host# show destination-address { 172.16.0.0/16 except; 172.0.0.0/8; }
In the following example, a match occurs for any IPv4 destination address that does not fall within the prefix 10.1.1.0/24:
[edit firewall family inet filter filter_on_dst_addr term term24 from] user@host# set destination-address 0.0.0.0/0 user@host# set destination-address 10.1.1.0/24 except user@host# show destination-address { 0.0.0.0/0; 10.1.1.0/24 except; }
Excluding IP Addresses in VPLS or Layer 2 Bridging Traffic
For the following VPLS and Layer 2 bridging match conditions on MX Series routers only, you can include the except keyword to specify that a match occurs for an IP address field that does not match the specified IP address or prefix:
ip-address address except—A match occurs if either the source IP address or the destination IP address does not match the specified address or prefix.
source-ip-address address except—A match occurs if the source IP address does not match the specified address or prefix.
destination-ip-address address except—A match occurs if the destination IP address does not match the specified address or prefix.
In the following example for filtering VPLS traffic on an MX Series router, a match occurs if the source IP address falls within the exception range of 55.0.1.0/255.0.255.0 and the destination IP address matches 5172.16.5.0/8:
[edit] firewall { family vpls { filter fvpls { term 1 { from { ip-address { 55.0.0.0/8; 55.0.1.0/255.0.255.0 except; } } then { count from-55/8; discard; } } } } }
Excluding MAC Addresses in VPLS or Layer 2 Bridging Traffic
For the following VPLS or Layer 2 bridging traffic match conditions, you can include the except keyword to specify that a match occurs for a MAC address field that does not match the specified MAC address or prefix:
source-mac-address address except—A match occurs if the source MAC address does not match the specified address or prefix.
destination-mac-address address except—A match occurs if either the destination MAC address does not match the specified address or prefix.
Excluding All Addresses Requires an Explicit Match on the ’0/0’ Address
If you specify a firewall filter match condition that consists of one or more address-exception match conditions (address match conditions that use the except keyword) but no matchable address match conditions, packets that do not match any of the configured prefixes fails the overall match operation. To configure a firewall filter term of address-exception match conditions to match any address that is not in the prefix list, include an explicit match of 0/0 so that the term contain a matchable address.
For the following example firewall filter for IPv4 traffic, the from-trusted-addresses term fails to discard matching traffic, and the INTRUDERS-COUNT counter is missing from the output of the show firewall operational mode command:
[edit] user@host# show policy-options prefix-list TRUSTED-ADDRESSES { 10.2.1.0/24; 192.168.122.0/24; } [edit firewall family inet filter protect-RE] user@host# show term from-trusted-addresses { from { source-prefix-list { TRUSTED-ADDRESSES except; } protocol icmp; } then { count INTRUDERS-COUNT; discard; } } term other-icmp { from { protocol icmp; } then { count VALID-COUNT; accept; } } term all { then accept; }
[edit] user@host# run show firewall Filter: protect-RE Counters: Name Bytes Packets VALID-COUNT 2770 70 Filter: __default_bpdu_filter__
To cause a filter term of address-exception match conditions to match any address that is not in the prefix list, include an explicit match of 0/0 in the set of match conditions:
[edit firewall family inet filter protect-RE] user@host# show term from-trusted-addresses from { source-address { 0.0.0.0/0; } source-prefix-list { TRUSTED-ADDRESSES except; } protocol icmp; }
With the addition of the 0.0.0.0/0 source prefix address to the match condition, the from-trusted-addresses term discards matching traffic, and the INTRUDERS-COUNT counter displays in the output of the show firewall operational mode command:
[edit] user@host# run show firewall Filter: protect-RE Counters: Name Bytes Packets VALID-COUNT 2770 70 INTRUDERS-COUNT 420 5 Filter: __default_bpdu_filter__
Matching Either IP Address Field to a Single Value
For IPv4 and IPv6 traffic and for VPLS and Layer 2 bridging traffic on MX Series routers only, you can use a single match condition to match a single address or prefix value to either the source or destination IP address field.
- Matching Either IP Address Field in IPv4 or IPv6 Traffic
- Matching Either IP Address Field in VPLS or Layer 2 Bridging Traffic
Matching Either IP Address Field in IPv4 or IPv6 Traffic
For IPv4 or IPv6 traffic, you can use a single match condition to specify the same address or prefix value as the match for either the source or destination IP address field. Instead of creating separate filter terms that specify the same address for the source-address and destination-address match conditions, you use only the address match condition. A match occurs if either the source IP address or the destination IP address matches the specified address or prefix.
If you use the except keyword with the address match condition, a match occurs if both the source IP address and the destination IP address match the specified value before the exception applies.
In a firewall filter term that specifies either the source-address or the destination-address match condition, you cannot also specify the address match condition.
Matching Either IP Address Field in VPLS or Layer 2 Bridging Traffic
For VPLS or Layer 2 bridging traffic on MX Series routers only, you can use a single match condition to specify the same address or prefix value as the match for either the source or destination IP address field. Instead of creating separate filter terms that specify the same address for the source-ip-address and destination-ip-address match conditions, you use only the ip-address match condition. A match occurs if either the source IP address or the destination IP address matches the specified address or prefix.
If you use the except keyword with the ip-address match condition, a match occurs if both the source IP address and the destination IP address match the specified value before the exception applies.
In a firewall filter term that specifies either the source-ip-address or the destination-ip-address match condition, you cannot also specify the ip-address match condition.
Matching an Address Field to Noncontiguous Prefixes
For IPv4 traffic only, specify a single match condition to match the IP source or destination address field to any prefix specified. The prefixes do not need to be contiguous. That is, the prefixes under the source-address or destination-address match condition do not need to be adjacent or neighboring to one another.
In the following example, a match occurs if a destination address matches either the 10.0.0.0/8 prefix or the 192.168.0.0/32 prefix:
[edit firewall family inet filter filter_on_dst_addr term term5 from] user@host# set destination-address 10.0.0.0/8 user@host# set destination-address 192.168.0.0/32 user@host# show destination-address { destination-address 10.0.0.0/8; destination-address 192.168.0.0/32; }
The order in which you specify the prefixes within the match condition is not significant. Packets are evaluated against all the prefixes in the match condition to determine whether a match occurs. If prefixes overlap, longest-match rules are used to determine whether a match occurs. A match condition of noncontiguous prefixes includes an implicit 0/0 except statement, which means that any prefix that does not match any prefix included in the match condition is explicitly considered not to match.
Because the prefixes are order-independent and use longest-match rules, longer prefixes subsume shorter ones as long as they are the same type (whether you specify except or not). This is because anything that would match the longer prefix would also match the shorter one.
Consider the following example:
[edit firewall family inet filter filter_on_src_addr term term1 from] source-address { 172.16.0.0/10; 172.16.2.0/24 except; 192.168.1.0; 192.168.1.192/26 except; 192.168.1.254; 172.16.3.0/24; # ignored 10.2.2.2 except; # ignored }
Within the source-address match condition, two addresses are ignored. The 172.16.3.0/16 value is ignored because it falls under the address 172.16.0.0/10, which is the same type. The 10.2.2.2 except value is ignored because it is subsumed by the implicit 0.0.0.0/0 except match value.
Suppose the following source IP address are evaluated by this firewall filter:
Source IP address 172.16.1.2—This address matches the 172.16.0.0/10 prefix, and thus the action in the then statement is taken.
Source IP address 172.16.2.2—This address matches the 172.16.2.0/24 prefix. Because this prefix is negated (that is, includes the except keyword), an explicit mismatch occurs. The next term in the filter is evaluated, if there is one. If there are no more terms, the packet is discarded.
Source IP address 10.1.2.3—This address does not match any of the prefixes included in the source-address condition. Instead, it matches the implicit 0.0.0.0/0 except at the end of the list of prefixes configured under the source-address match condition, and is considered to be a mismatch.
The 172.16.3.0/24 statement is ignored because it falls under the address 172.16.0.0/10—both are the same type.
The 10.2.2.2 except statement is ignored because it is subsumed by the implicit 0.0.0.0/0 except statement at the end of the list of prefixes configured under the source-address match condition.
When a firewall filter term includes the from address address match condition and a subsequent term includes the from source-address address match condition for the same address, packets might be processed by the latter term before they are evaluated by any intervening terms. As a result, packets that should be rejected by the intervening terms might be accepted instead, or packets that should be accepted might be rejected instead.
To prevent this from occurring, we recommend that you do the following. For every firewall filter term that contains the from address address match condition, replace that term with two separate terms: one that contains the from source-address address match condition, and another that contains the from destination-address address match condition.
Matching an Address Field to a Prefix List
You can define a list of IPv4 or IPv6 address prefixes for use in a routing policy statement or in a stateless firewall filter match condition that evaluates packet address fields.
To define a list of IPv4 or IPv6 address prefixes, include the prefix-list prefix-list statement.
prefix-list name { ip-addresses; apply-path path; }
You can include the statement at the following hierarchy levels:
[edit policy-options]
[edit logical-systems logical-system-name policy-options]
After you have defined a prefix list, you can use it when specifying a firewall filter match condition based on an IPv4 or IPv6 address prefix.
[edit firewall family family-name filter filter-name term term-name] from { source-prefix-list { prefix-lists; } destination-prefix-list { prefix-lists; } }