Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Using Firewall Filter Chains

This example shows the use of firewall filter chains. Firewall filters filter1, filter2, and filter3, are applied to interface ge-0/1/1.0 using the input-chain and the output-chain configuration statements.

Requirements

Before you begin:

  • You should have a MX Series router with MPCs and running Junos release 18.4R1 or later.

  • The router should be configured for IP version 4 (IPv4) protocol (family inet) and configured the logical interface with an interface address. All other initial router configurations should be complete, with basic IPv4 connectivity between the devices confirmed.

  • The traffic you send should be compatible with the firewall filter rules so the rules you configure can match the test traffic you send.

Overview

This examples shows how to chain multiple firewall filters for both ingress and egress so they can be applied to a given interface and evaluated in sequence. Each filter in chain acts the same as the CLI filter. The order of execution occurs in the same order as the chain, from left to right.

Topology

In this example, you configure multiple firewall filters and then apply them in sequence by chaining them to a given interface. This example uses ge-0/1/1.0 configured with the IP address 172.16.1.1/30 for both the input and output chain. If a packet does not match any of the filters in the chain list, the packet is dropped.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level. The filter names used here are filter1, and so on, while the term names are t1_f1 (term1, using filter1), and so on.

Configure IPv4 Firewall Filters

Here we configure the firewall filters. Each has different match conditions and count actions. The first two filters have multiple terms with the non-terminating action of count, which means matching packets will be passed on to the next filter in the chain, while the third has an action of accept. Packets that don't match any of the specified conditions would be dropped.

Step-by-Step Procedure

To configure the firewall filters:

  1. Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters.

  2. Configure the first firewall filter to count TCP packets, or packets with a precedence of 7, before sending them on to the next filter in the chain.

  3. Configure the second firewall filter to count DSCP packets, or packets with a source port of 1020, before sending them on to the next filter in the chain.

  4. Configure the last firewall filter to count and accept packets with a destination address of 172.30.1.1/32, or a destination port of 5454.

  5. [Optional] Configure a policer to shape traffic flow.

Apply the Chain of Input Filters

Here we attach the firewall filters to a given interface. The order of execution occurs in the same order as the chain, from left to right.

Step-by-Step Procedure

To assign the interface an IP address:

  1. Navigate to the interface we are using for the filters, ge-0/1/1.0.

  2. Assign an IPv4 address to the logical interface.

  3. Apply the filters as a list of input filters.

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

To confirm and then commit your candidate configuration:

  1. Confirm the configuration of the firewall filters by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  2. Confirm the configuration of the interface by entering the show interfaces configuration mode command.

  3. If you are done configuring the device, commit the configuration.

Verification

Confirm that the configuration works as expected, that is, that the matching traffic is evaluated by each of the filters filter1, filter2, and filter3, and that the expected action (count or accept) has been taken.

Send Traffic Through the Firewall Filters

Purpose

Send traffic from one device to the router you have configured to see whether matching packets are being evaluated by all relevant filters in the chain.

Action

To verify that input packets are evaluated by filter1, filter2, and filter3:

  1. From the remote host that is connected to ge-0/1/1.0, send a packet with a precedence of 7. The packet should be counted and then evaluated by filter2.

  2. From the remote host that is connected to ge-0/1/1.0, send a packet with DSCP value of 0. The packet should be counted and then evaluated by filter3.

  3. From the remote host that is connected to ge-0/1/1.0, send a packet with a destination address of 172.30.1.1/32 and a destination port number of 5454. The packet should be counted and then accepted.

  4. To display counter information for the filters you configured, enter the show firewall filter filter-name operational mode command. The command output displays the number of bytes and packets that match filter terms associated with the counters.