Configuring Filters to Permit Expected Traffic
You must explicitly configure your firewall filter to permit expected traffic, such as DHCP traffic, to pass. Otherwise, the expected traffic is denied when the filter is applied to the interface. This requirement applies to both classic and fast update filters.
The following example shows a fast update filter that might be used to accept DHCP traffic. The actual filter you use depends on the expected traffic in your network.
In the example, the term allow-dhcp
accepts all
DHCP traffic from all source addresses. The term also includes the only-at-create
option to specify that the term is applied only
when the filter is first applied. The term sub-allow-dhcp
includes the Junos OS predefined variable $junos-subscriber-ip-address
, which permits all subscriber-specific DHCP traffic.
The match-order
statement configuration lists the
conditions from most-specific to least-specific, as recommended in Configuring the Match Order for Fast Update Filters. Because this filter is designed to permit ingress DHCP traffic,
the source-address
condition is listed first.
firewall { family inet { fast-update-filter psf1 { interface-specific; match-order [ source-address destination-address protocol destination-port ]; term allow-dhcp { only-at-create; from { source-address 0.0.0.0/32; destination-address 255.255.255.255/32; destination-port 67; protocol udp; } then accept; } term sub-allow-dhcp { from { source-address $junos-subscriber-ip-address; destination-address 192.168.1.2/32; destination-port 67; protocol udp; } then accept; } } } }