Applying Firewall Filters to Interfaces
For a firewall filter to work, you must apply it to at least
one Layer 3 interface. To do this, include the filter statement
when configuring a logical interface at the [edit interfaces] hierarchy level:
[edit interfaces] user@switch# set interface-name unit logical-unit-number family (inet | inet6) filter (input | output) filter-name
In the input statement, specify a firewall filter
to be evaluated when packets are received on the interface. Input
filters applied to a loopback interface affect only traffic destined
for the Routing Engine.
In the output statement, specify a filter to be evaluated
when packets exit the interface.
When you create a loopback interface, it is important
to apply an ingress filter to it so the Routing Engine is protected.
We recommend that when you apply a filter to the loopback interface lo0, you include the apply-groups statement. Doing
so ensures that the filter is automatically inherited on every loopback
interface, including lo0 and other loopback interfaces.