ON THIS PAGE
Example: Configuring a Filter to Match on Two Unrelated Criteria
This example shows how to configure a standard stateless firewall filter to match on two unrelated criteria.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you use a standard stateless firewall filter
to match IPv4 packets that are either OSPF packets or packets that
come from an address in the prefix 10.108/16, and send
an administratively-prohibited ICMP message for all packets
that do not match.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the IPv4 Firewall Filter
- Applying the IPv4 Firewall Filter to a Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set firewall family inet filter ospf_or_131 term protocol_match from protocol ospf set firewall family inet filter ospf_or_131 term address-match from source-address 10.108.0.0/16 set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input ospf_or_131
Configuring the IPv4 Firewall Filter
Step-by-Step Procedure
To configure the IPv4 firewall filter:
Enable configuration of the IPv4 firewall filter.
[edit] user@host# edit firewall family inet filter ospf_or_131
Configure the first term to accept OSPF packets.
[edit firewall family inet filter ospf_or_131] user@host# set term protocol_match from protocol ospf
Packets that match the condition are accepted by default. Because another term follows this term, packets that do not match this condition are evaluated by the next term.
Configure the second term to accept packets from any IPv4 address in a particular prefix.
[edit firewall family inet filter ospf_or_131] user@host# set term address_match from source-address 10.108.0.0/16
Packets that match this condition are accepted by default. Because this is the last term in the filter, packets that do not match this condition are discarded by default.
Results
Confirm the configuration of the stateless firewall filter
by entering the show firewall configuration mode command.
If the command output does not display the intended configuration,
repeat the instructions in this procedure to correct the configuration.
[edit]
user@host# show firewall
family inet {
filter ospf_or_131 {
term protocol_match {
from {
protocol ospf;
}
}
term address_match {
from {
source-address {
10.108.0.0/16;
}
}
}
}
}
Applying the IPv4 Firewall Filter to a Logical Interface
Step-by-Step Procedure
To apply the stateless firewall filter to a logical interface:
Enable configuration of a logical interface.
[edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet
Configure an IP address for the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1.2.3/30
Apply the IPv4 firewall filter to the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input ospf_or_131
Results
Confirm the configuration of the interface by entering
the show interfaces configuration mode command. If the
command output does not display the intended configuration, repeat
the instructions in this procedure to correct the configuration.
[edit]
user@host# show interfaces
ge-0/0/1 {
unit 0 {
family inet {
filter {
input ospf_or_131;
}
address 10.1.2.3/30;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working
properly, enter the show firewall filter ospf_or_131 operational mode command.