Firewall Filter Match Conditions and Actions (PTX Series Routers)
Firewall Filter Match Conditions and Actions (PTX Series Routers)
Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.
When a packet matches a filter, the router takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the router accepts the packet by default.
On the PTX10003, you can apply multiple firewall filters to a single interface as a
single input list or output list (filter input-list and output-list
). In this way,
you only manage the configuration for a filtering task in a single firewall filter. This gives
you flexibility in large environments when you have a device configured with many interfaces.
You can do the same on the PTX10008, but the router only supports applying multiple firewall
filters to a single input-list.
Table 1 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type
?
at the appropriate place in a statement.Table 2 shows the actions and action modifiers that you can specify in a term.
Match Condition |
Description |
Supported Interfaces |
---|---|---|
|
Match the source or destination address field unless the
|
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Match the destination address field unless the
You cannot specify both |
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Match the UDP or TCP destination port field. You must also configure
the You cannot specify both the In place of the numeric value, you can specify one of the following
text synonyms (the port numbers are also listed):
|
IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
|
Do not match the UDP or TCP destination port field. For details, see
the |
IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
|
Match destination prefixes in a list unless the
|
IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
|
Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
Do not match on the DSCP number. For more information, see the
|
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
Match if the packet is the first fragment of a fragmented packet.
Do not match if the packet is a trailing fragment of a fragmented
packet. The first fragment of a fragmented packet has a fragment
offset value of This match condition is an alias for the bit-field match condition
To match both first and trailing fragments, you can use two terms
that specify different match conditions:
|
IPv4 (inet) interfaces. |
|
Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
|
IPv4 (inet), IPv6 (inet6), and MPLS interfaces. |
|
Do not match the forwarding class of the packet. For details, see the
|
IPv4 (inet), IPv6 (inet6), and MPLS interfaces. |
|
Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the
following keywords (the field values are also listed):
|
IPv4 (inet) interfaces. |
|
Match the 13-bit fragment offset field in the IP header. The value is
the offset, in 8-byte units, in the overall datagram message to the
data fragment. Specify a numeric value, a range of values, or a set
of values. An offset value of The To match both first and trailing fragments, you can use two terms
that specify different match conditions
( |
IPv4 (inet) interfaces. |
|
Do not match the 13-bit fragment offset field. |
IPv4 (inet) interfaces. |
|
Match the ICMP message code field. If you configure this match condition, we recommend that you also
configure the If you configure this match condition, you must also configure the
In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
Do not match the ICMP message code field. For details, see the
|
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
Match the ICMP message type field. You must also configure
In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed):
See also |
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
Do not match the ICMP message type field. For details, see the
|
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
For ingress filters, match the interface on which the packet was received. For egress filters, match the interface on which the packet was sent. Note:
PTX5000 series routers do not support attaching the
firewall filter core-protect { term Telnet { from { protocol tcp; destination-port telnet; interface em0.0; } then accept; } } } |
IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
|
Do not match the logical interface on which the packet was received.
For details, see the |
IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
|
Match if the packet is a trailing fragment of a fragmented packet. Do not match the first fragment of a fragmented packet. Note:
To match both first and trailing fragments, you can use two terms
that specify different match conditions
( For PTX10003 routers running Junos OS Evolved, all fragmented packets including the first fragment of fragmented packets will match on any firewall filter term containing an "is-fragment" match. |
IPv4 (inet) interfaces. |
|
Match the packet loss priority (PLP). Specify a single level or multiple levels: Note:
The |
IPv4 (inet), IPv6 (inet6), and MPLS interfaces. |
|
Do not match the PLP level. For details, see the
|
IPv4 (inet), IPv6 (inet6), and MPLS interfaces. |
|
Match the first 8-bit next header field in the packet. In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed):
|
IPv6 (inet6) interfaces. |
|
Do not match the 8-bit Next Header field that identifies the type of
header between the IPv6 header and payload. For details, see the
|
IPv6 (inet6) interfaces |
|
Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched. |
IPv4 (inet), and IPv6 (inet6) interfaces. |
|
Do not match the length of the received packet, in bytes. For
details, see the |
IPv4 (inet), and IPv6 (inet6) interfaces. |
|
Match the UDP or TCP source or destination port field. You must also
configure the You cannot configure the In place of the numeric value, you can specify one of the text
synonyms listed under |
IPv4 (inet), and IPv6 (inet6) interfaces. |
|
Do not match either the source or destination UDP or TCP port field.
For details, see the |
IPv4 (inet), and IPv6 (inet6) interfaces. |
|
Match the IP precedence field. In place of the numeric field value, you can specify one of the
following text synonyms (the field values are also listed):
|
IPv4 (inet) interfaces. |
|
Do not match the IP precedence field. |
IPv4 (inet) interfaces. |
|
Match the IPv4 protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
IPv4 (inet) interfaces. |
|
Do not match the IP protocol type field. In place of the numeric
value, you can specify one of the following text synonyms (the field
values are also listed): |
IPv4 (inet) interfaces. |
|
IP source address field, which is the address of the node that sent the packet. |
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Match the IP address of the source node sending the packet unless the
You cannot specify both the |
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Match the TCP or UDP source port. You must also configure the
In place of the numeric value, you can specify one of the text
synonyms listed with the |
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Do not match the UDP or TCP source port field. For details, see the
|
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
IP source prefix list. You can define a list of IP address prefixes
under a prefix-list alias for frequent use. Define this list at the
|
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. If you configure this match condition, we recommend that you also
configure the For IPv4 traffic only, this match condition does not implicitly check
whether the datagram contains the first fragment of a fragmented
packet. To check for this condition for IPv4 traffic only, use the
|
IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4. You can specify one of the following text synonyms (the field values are also listed):
|
IPv6 (inet6) interfaces. |
|
Do not match the 8-bit field that specifies the CoS priority of the
packet. For details, see the |
IPv6 (inet6) interfaces. |
|
Match the IPv4 or IPv6 time-to-live number. Specify a TTL value or a
range of TTL values. For |
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
Do not match on the IPv4 or IPv6 TTL number. For details, see the
|
IPv4 (inet) and IPv6 (inet6) interfaces. |
|
Specify a numeric value or range of numeric values for the VNI. Apply the filter on the ingress interface.
Note:
Starting with Junos OS Evolved Release 23.4R2, you can filter
|
IPv4 (inet) interfaces. |
Use then
statements to define actions that should occur if a packet matches
all conditions in a from
statement. Table 2 shows
the actions that you can specify in a term. (If you do not include a then
statement,
the system accepts packets that match the filter.)
Action |
Description |
---|---|
|
Accept a packet. This is the default action for packets that match a term. |
|
Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message. |
|
Count the number of packets that match the term. |
|
Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
Note:
The |
|
Log the packet's header information in the Routing Engine. To view this information,
enter the Note:
The |
|
Set the packet loss priority (PLP). |
|
Send packets to a policer (for the purpose of applying rate limiting). The PTX10003 supports two-color, single-rate three-color (srTCM), and two-rate three-color marker (trTCM) policers. Note:
The |
|
(Supported on PTX10004, PTX10008, and PTX10016 devices running Junos Evolved OS Release 22.1R1 only.) Send packets to the P4 controller, as specified in the instance defined at the [services inline-monitoring instance instance-name controller p4] level of the Junos hierarchy. |
|
Discard a packet and send a “destination unreachable” ICMPv4 or ICMPv6
message (type 3). To log rejected packets, configure the You can specify one of the following message types: Note:
The If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.” |
|
Log an alert for this packet. |
|
Forward matched packets to a virtual routing instance. Packets can be forwarded to the default instance. Supported on |
IPv6 Firewall Filter Match Conditions and Actions (PTX10001-20C)
This topic describes the IPv6 firewall filter match conditions, actions, and action modifiers for PTX10001-20C routers.
Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include the no match statement, in which case the term matches all packets.
When a packet matches a filter, the router takes the action specified in the term. You can also specify action modifiers to count, mirror, and classify packets. If no match conditions are specified for the term, the router accepts the packet by default.
On PTX10001-20C routers, you can only apply a firewall filter on IPv6 interfaces in the ingress direction.
Table 3 describes the supported match conditions.
Table 4 shows the actions that you can specify in a term. If you don’t include a
then
statement, the system accepts packets that match the filter.Table 5 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.
Match Condition |
Description |
|
---|---|---|
|
Match the IPv6 source or destination address field
unless the |
|
|
Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups. |
|
|
Specify which groups not to inherit configuration data from. You can specify more than one group name. |
|
|
Match the IPv6 destination address field unless
the You cannot specify both the |
|
|
Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition, we recommend that you also configure the In place of the numeric value, you can specify one of the following text synonyms (the
port numbers are also listed): |
|
|
Do not match the UDP or TCP destination port field.
For details, see the |
|
|
Match the IPv6 destination prefix to the specified
list unless the The prefix list is defined at the |
|
|
Match the ICMP message code field. If you configure this match condition, we recommend that you also configure the An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|
|
Do not match the ICMP message code field. For details,
see the |
|
|
Match the ICMP message type field. You must also configure In place of the numeric value, you can specify one of the following text synonyms (the
field values are also listed): For |
|
|
Do not match the ICMP message type field. For details,
see the |
|
|
Continue to the next term in a filter. |
|
|
Match the first 8-bit Next Header field in the packet. In place of the numeric value, you can specify one of the following text synonyms (the
field values are also listed): Note:
|
|
|
Do not match the 8-bit Next Header field that identifies
the type of header between the IPv6 header and payload. For details, see the |
|
|
Match the UDP or TCP source or destination port field. If you configure this match condition, you cannot configure the If you configure this match condition, we recommend that you also configure the In place of the numeric value, you can specify one of the text synonyms listed under |
|
|
Do not match the UDP or TCP source or destination
port field. For details, see the |
|
|
Port-mirror the packet. |
|
|
Port mirror a packet for an instance. |
|
|
Match the prefixes of the source or destination
address fields to the prefixes in the specified list unless the The prefix list is defined at the |
|
|
Sample the packet. |
|
|
Match the IPv6 address of the source node sending
the packet unless the You cannot specify both the |
|
|
Match the UDP or TCP source port field. You cannot specify the If you configure this match condition, we recommend that you also configure the Note:
For Junos OS Evolved, you must configure the In place of the numeric value, you can specify one of the text synonyms listed with
the |
|
|
Do not match the UDP or TCP source port
field. For details, see the |
|
|
Match the IPv6 address prefix of the packet source
field unless the Specify a prefix list name defined at the |
If you specify an IPv6 address in a match condition (the address
, destination-address
, or source-address
match conditions), use the syntax
for text representations described in RFC 4291, IP Version 6 Addressing
Architecture. For more information about IPv6 addresses, see IPv6 Overview and Supported IPv6
Standards.
Action |
Description |
---|---|
|
Accept a packet. This is the default action for packets that match a term. |
|
Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message. |
|
(Supported on PTX10004, PTX10008, and PTX10016 devices running Junos Evolved OS Release 22.1R1 only.) Send packets to the P4 controller, as specified in the instance defined at the [services inline-monitoring instance instance-name controller p4] level of the Junos hierarchy. |
Action Modifier |
Description |
---|---|
|
Count the number of packets that match the term. |
|
Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
Note:
To configure a forwarding class, you must also configure loss priority. |
|
Set the packet loss priority (PLP). |