Example: Configuring a Filter to Match on IPv6 Flags
This example shows how to configure a filter to match on IPv6 TCP flags.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you configure a filter to match on IPv6 TCP flags. You can use this example to configure IPv6 TCP flags in the SRX100, SRX210, SRX240, SRX650, and J Series security devices and in M Series, MX Series, and T Series routing devices.
Configuration
Step-by-Step Procedure
To configure a filter to match on IPv6 TCP flags:
Include the family statement at the firewall hierarchy level, specifying inet6 as the protocol family.
[edit]user@host# edit firewall family inet6Create the stateless firewall filter.
[edit firewall family inet6]user@host# edit filter tcpfiltDefine the first term for the filter.
[edit firewall family inet6 filter tcpfilt]user@host# edit term 1Define the source address match conditions for the term.
[edit firewall family inet6 filter tcpfilt term 1]user@host# set from next-header tcp tcp-flags synDefine the actions for the term.
[edit firewall family inet6 filter tcpfilt term 1]user@host# set then count tcp_syn_pkt log accept- If you are done configuring the device, commit the configuration.[edit firewall family inet6 filter tcpfilt term 1]user@host top [edit]user@host# commit
Verification
To confirm that the configuration is working properly, enter the show firewall filter tcpfilt command.
