Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Nesting References to Multiple Standard Firewall Filters

This example shows how to configure nested references to multiple stateless firewall filters.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you configure a stateless firewall filter for a match condition and action combination that can be shared among multiple firewall filters. You then configure two firewall filters that reference the first firewall filter. Later, if the common filtering criteria needs to be changed, you would modify only the one shared firewall filter configuration.

Topology

The common_filter firewall filter discards packets that have a UDP source or destination port field number of 69. Both of the two additional firewall filters, filter1 and filter2, reference the common_filter.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

set firewall family inet filter common_filter term common_term from protocol udpset firewall family inet filter common_filter term common_term from port tftpset firewall family inet filter common_filter term common_term then discardset firewall family inet filter filter1 term term1 filter common-filterset firewall family inet filter filter1 term term2 from address 192.168.0.0/16set firewall family inet filter filter1 term term2 then rejectset firewall family inet filter filter2 term term1 filter common-filterset firewall family inet filter filter2 term term2 from protocol udpset firewall family inet filter filter2 term term2 from port bootpsset firewall family inet filter filter2 term term2 then acceptset interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24set interfaces ge-0/0/0 unit 0 family inet filter input filter1set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24set interfaces ge-0/0/0 unit 0 family inet filter input filter2

Configure the Nested Firewall Filters

Step-by-Step Procedure

To configure two nested firewall filters that share a common filter:

  1. Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters.

    [edit]user@host# edit firewall family inet

  2. Configure the common filter that will be referenced by multiple other filters.

    [edit firewall family inet]user@host# set filter common_filter term common_term from protocol udpuser@host# set filter common_filter term common_term from port tftpuser@host# set filter common_filter term common_term then discard

  3. Configure a filter that references the common filter.

    [edit firewall family inet]user@host# set filter filter1 term term1 filter common-filteruser@host# set filter filter1 term term2 from address 192.168.0.0/16user@host# set filter filter1 term term2 then reject

  4. Configure a second filter that references the common filter.

    [edit firewall family inet]user@host# set filter filter2 term term1 filter common-filteruser@host# set filter filter2 term term2 from protocol udpuser@host# set filter filter2 term term2 from port bootpsuser@host# set filter filter2 term term2 then accept

Apply Both Nested Firewall Filters to Interfaces

Step-by-Step Procedure

To apply both nested firewall filters to logical interfaces:

  1. Apply the first nested filter to a logical interface input.

    [edit]user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24user@host# set interfaces ge-0/0/0 unit 0 family inet filter input filter1

  2. Apply the second nested filter to a logical interface input.

    [edit]user@host# set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24user@host# set interfaces ge-0/0/0 unit 0 family inet filter input filter2

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

To confirm and then commit your candidate configuration:

  1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

    [edit]user@host# show firewall
    family inet {filter common_filter {term common_term {from {protocol udp;port tftp;}then {discard;}}}filter filter1 {term term1 {filter common-filter;}term term2 {from {address 192.168/16;}then {reject;}}}filter filter2 {term term1 {filter common-filter;}term term2 {from {protocol udp;port bootps;}then {accept;}}}}

  2. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

    [edit]user@host# show interfaces
    ge-0/0/0 {unit 0 {family inet {filter {input filter1;}address 10.1.0.1/24;}}}
    ge-0/0/3 {unit 0 {family inet {filter {input filter2;}address 10.1.3.1/24;}}}

  3. If you are done configuring the device, commit your candidate configuration.

    [edit]user@host# commit

Verification

To confirm that the configuration is working properly, enter the show firewall filter filter1 and show firewall filter filter2 operational mode commands.

 

Related Documentation

 

Published: 2013-04-10

Previous Page Next Page