Applying Firewall Filters to Interfaces
For a firewall filter to work, you must apply it to at least
one Layer 3 interface. To do this, include the filter
statement
when configuring a logical interface at the [edit interfaces]
hierarchy level:
[edit interfaces] user@switch# set interface-name unit logical-unit-number family (inet | inet6) filter (input | output) filter-name
In the input
statement, specify a firewall filter
to be evaluated when packets are received on the interface. Input
filters applied to a loopback interface affect only traffic destined
for the Routing Engine.
In the output
statement, specify a filter to be evaluated
when packets exit the interface.
When you create a loopback interface, it is important
to apply an ingress filter to it so the Routing Engine is protected.
We recommend that when you apply a filter to the loopback interface lo0
, you include the apply-groups
statement. Doing
so ensures that the filter is automatically inherited on every loopback
interface, including lo0
and other loopback interfaces.