Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved)

Supported Firewall Filter Match Conditions and Actions in the Ingress and Egress Directions on ACX Series Routers running Junos OS Evolved

Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.

When a packet matches a filter, a switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default. See Table 1 and Table 2.

Table 1: Supported Firewall Filter Match Conditions in the Ingress and Egress Directions on ACX Series Routers running Junos OS Evolved

Match Condition

Description

Ingress

Egress

Firewall Filter Families (Ingress)

Firewall Filter Families (Egress)

destination-address

ip-destination-address

IPv4 address that is the final destination node address for the packet.

Use ip-destination-address for Ethernet-Switching, and CCC families

Yes

Yes

IPv4, IPv6, Ethernet-Switching, and CCC

IPv4 and IPv6

source-address

ip-source-address

IPv4 address of the source node sending the packet.

Use ip-source-address for Ethernet-Switching, and CCC families

Yes

Yes

IPv4, IPv6, Ethernet-Switching, and CCC

IPv4

destination-prefix-list

IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Yes

Yes

IPv4, IPv6, and Ethernet-Switching

IPv4, IPv6

source-prefix-list

IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level.

Yes

Yes

IPv4, IPv6, and Ethernet-Switching

IPv4

destination-port

TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67),

cmd (514), cvspserver (2401),

dhcp (67), domain (53),

eklogin (2105), ekshell (2106), exec (512),

finger (79), ftp (21), ftp-data (20),

http (80), https (443),

ident (113), imap (143),

kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544),

ldap (389), login (513),

mobileip-agent (434), mobilip-mn (435), msdp (639),

netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123),

pop3 (110), pptp (1723), printer (515),

radacct (1813),radius (1812), rip (520), rkinit (2108),

smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),

tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525),

who (513),

xdmcp (177),

zephyr-clt (2103), zephyr-hm (2104)

Yes

Yes

IPv4, IPv6, Ethernet-Switching, and CCC

IPv4, IPv6, Ethernet-Switching, and CCC

source-port

TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

Yes

Yes

IPv4, IPv6, Ethernet-Switching, and CCC

IPv4, IPv6, Ethernet-Switching, and CCC

protocol

ip-protocol

IP protocol field

Use ip-protocol for Ethernet-Switching, and CCC families

Yes

Yes

IPv4, Ethernet-Switching, and CCC

IPv4, Ethernet-Switching, and CCC

first-fragment

Match if the packet is the first fragment of a fragmented packet. Avoiding matching the packet if it is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0.

This match condition is an alias for the bit-field match condition fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment.

Yes

No

IPv4

NA

icmp-code

ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • IPv4: parameter-problem—ip-header-bad (0), required-option-missing (1)

  • IPv6: parameter-problem—ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • redirectredirect-for-network (0), redirect-for-host (1), redirect-for-tos-and-net (2), redirect-for-tos-and-host (3)

  • time-exceededttl-eq-zero- during-reassembly (1), ttl-eq-zero-during-transit (0)

  • IPv4: unreachable—network-unreachable (0), host-unreachable (1), protocol-unreachable (2), port-unreachable (3), fragmentation-needed (4), source-route-failed (5), destination-network-unknown (6), destination-host-unknown (7), source-host-isolated (8), destination-network-prohibited (9), destination-host-prohibited (10), network-unreachable-for-TOS (11), host-unreachable-for-TOS (12), communication-prohibited-by-filtering (13), host-precedence-violation (14), precedence-cutoff-in-effect (15)

  • IPv6: unreachable—address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

Yes

Yes

IPv4, IPv6, Ethernet-Switching, and CCC

IPv4, IPv6, Ethernet-Switching, and CCC

icmp-type

ICMP message type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18)

IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140)

See also icmp-code variable.

Yes

Yes

IPv4, IPv6, Ethernet-Switching, and CCC

IPv4, IPv6, Ethernet-Switching, and CCC

ip-options

Specify any to create a match if anything is specified in the options field in the IP header.

Yes

No

IPv4

NA

precedence

ip-precedence

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

Use ip-precedence for Ethernet-Switching, and CCC families.

Yes

No

IPv4, Ethernet-Switching, and CCC

NA

is-fragment

Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero.

Yes

No

IPv4

NA

tcp-established

Matches packets of an established TCP three-way handshake connection (SYN, SYN-ACK, ACK). The only packet not matched is the first packet of the handshake since only the SYN bit is set. For this packet, you must specify tcp-initial as the match condition.

When you specify tcp-established, the switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Yes

Yes

IPv4 and IPv6

IPv4 and IPv6

tcp-flags

One or more TCP flags:

  • ack (0x10)

  • fin (0x01)

  • push (0x08)

  • rst (0x04)

  • syn (0x02)

  • urgent (0x20)

Yes

No

IPv4 and IPv6

NA

tcp-initial

Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set.

When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition.

Yes

No

IPv4 and IPv6

NA

ttl

IP Time-to-live (TTL) field in decimal. The value can be 1-255.

Yes

Yes

IPv4

IPv4

destination-mac-address

Destination MAC address of the packet.

Yes

Yes

Ethernet-Switching and CCC

Ethernet-Switching and CCC

source-mac-address

Source media access control (MAC) address of the packet.

Yes

Yes

Ethernet-Switching and CCC

Ethernet-Switching and CCC

dscp

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • be—best effort (default)

  • ef (46)—as defined in RFC 3246, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14);

    af21 (18), af22 (20), af23 (22);

    af31 (26), af32 (28), af33 (30);

    af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, for a total of 12 code points, are defined in RFC 2597, Assured Forwarding PHB.

  • cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, cs5

Yes

Yes

IPv4, Ethernet-Switching, and CCC

IPv4, Ethernet-Switching, and CCC

ether-type

Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • aarp (0x80F3)—EtherType value AARP

  • appletalk (0x809B)—EtherType value AppleTalk

  • arp (0x0806)—EtherType value ARP

  • fcoe (0x8906)—EtherType value FCoE

  • fip (0x8914)—EtherType value FIP

  • ipv4 (0x0800)—EtherType value IPv4

  • ipv6 (0x08DD)—EtherType value IPv6

  • mpls-multicast (0x8848)—EtherType value MPLS multicast

  • mpls-unicast (0x8847)—EtherType value MPLS unicast

  • oam (0x88A8)—EtherType value OAM

  • ppp (0x880B)—EtherType value PPP

  • pppoe-discovery (0x8863)—EtherType value PPPoE Discovery Stage

  • pppoe-session (0x8864)—EtherType value PPPoE Session Stage

  • sna (0x80D5)—EtherType value SNA

Yes

Yes

Ethernet-Switching and CCC

Ethernet-Switching and CCC

learn-vlan-1p-priority

Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Yes

Yes

Ethernet-Switching and CCC

Ethernet-Switching and CCC

user-vlan-1p-priority

Matches the specified 802.1p VLAN priority in the range 0-7.

Yes

Yes

Ethernet-Switching and CCC

Ethernet-Switching and CCC

exp

Match on MPLS EXP bits.

Yes

No

MPLS

NA

label

Match on MPLS label bits.

Yes

No

MPLS

NA

traffic-class

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4.

You can specify one of the following text synonyms (the field values are also listed):

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46)

Yes

Yes

IPv6

IPv6

hop-limit

Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255.

Yes

Yes

IPv6

IPv6

next-header

IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):

hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132)

Yes

Yes

IPv6

IPv6

Table 2: Supported Firewall Filter Actions in the Ingress and Egress Directions on ACX Platforms running Junos OS Evolved

Action

Description

Ingress

Egress

Firewall Filter Families (Ingress)

Firewall Filter Families (Egress)

count

Count the number of packets that match the term.

Yes

Yes

IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any

IPv4, IPv6, Ethernet-Switching, CCC, and Any

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

Yes

Yes

IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any

IPv4, IPv6, Ethernet-Switching, CCC, and Any

log

Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command.

Yes

No

IPv4 and IPv6

NA

forwarding-class

Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:

  • best-effort

  • fcoe

  • mcast

  • network-control

  • no-loss

Note:

To configure a forwarding class, you must also configure loss priority.

Yes

No

IPv4, IPv6, Ethernet-Switching, CCC, and MPLS

NA

next-interface

Direct packets to the specified outgoing interface.

Yes

No

IPv4 and IPv6

NA

loss-priority

Set the packet loss priority (PLP) level.

You cannot also configure the three-color-policer nonterminating action for the same firewall filter term. These two nonterminating actions are mutually exclusive.

Yes

No

IPv4, IPv6, Ethernet-Switching, CCC, and MPLS

NA

next-ip

Direct packets to the specified destination IPv4 address.

Yes

No

Yes

NA

next-ip6

Direct packets to the specified destination IPv6 address.

Yes

No

IPv6

NA

policer

Name of policer to use to rate-limit traffic.

Yes

Yes

IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any

IPv4, IPv6, Ethernet-Switching, CCC and Any

reject

Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier.

You can specify one of the following message types:
administratively-prohibited (default),
bad-host-tos, bad-network-tos, host-prohibited,
host-unknown, host-unreachable, network-prohibited,
network-unknown, network-unreachable,
port-unreachable, precedence-cutoff, 
precedence-violation, protocol-unreachable,
        source-host-isolated, source-route-failed,
or tcp-reset.

If you specify tcp-reset, the system sends a TCP reset if the packet is a TCP packet; otherwise nothing is sent.

If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.”

Yes

No

IPv4 and IPv6

NA

syslog

Log an alert for this packet.

Yes

No

IPv4 and IPv6

NA

sample

Sample the packet traffic. Apply this option only if you have enabled traffic sampling.

Yes

No

IPv4 and IPv6

NA

three-color-policer

Send packets to a three-color policer (for the purpose of applying rate limiting).

Yes

Yes

IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any

IPv4, IPv6, Ethernet-Switching, CCC and Any