Related Documentation
- J, M, MX, PTX, SRX, T Series
- Guidelines for Applying Standard Firewall Filters
- Understanding How to Use Standard Firewall Filters
Guidelines for Configuring Standard Firewall Filters
This topic covers the following information:
Statement Hierarchy for Configuring Standard Firewall Filters
To configure a standard firewall filter, you can include the following statements. For an IPv4 standard firewall filter, the family inet statement is optional.
You can include the firewall configuration at one of the following hierarchy levels:
- [edit]
- [edit logical-systems logical-system-name]
 | Note: For stateless firewall filtering, you must allow the output tunnel traffic through the firewall filter applied to input traffic on the interface that is the next-hop interface toward the tunnel destination. The firewall filter affects only the packets exiting the router by way of the tunnel. |
Standard Firewall Filter Protocol Families
A standard firewall filter configuration is specific to a particular protocol family. Under the firewall statement, include one of the following statements to specify the protocol family for which you want to filter traffic:
- family any—To filter protocol-independent traffic.
- family inet—To filter Internet Protocol version 4 (IPv4) traffic.
- family inet6—To filter Internet Protocol version 6 (IPv6) traffic.
- family mpls—To filter MPLS traffic.
- family vpls—To filter virtual private LAN service (VPLS) traffic.
- family ccc—To filter Layer 2 circuit cross-connection (CCC) traffic.
- family bridge—To filter Layer 2 bridging traffic for MX Series 3D Universal Edge Routers only.
The family family-name statement is required only to specify a protocol family other than IPv4. To configure an IPv4 firewall filter, you can configure the filter at the [edit firewall] hierarchy level without including the family inet statement, because the [edit firewall] and [edit firewall family inet] hierarchy levels are equivalent.
Standard Firewall Filter Names and Options
Under the family family-name statement, you can include filter filter-name statements to create and name standard firewall filters. The filter name can contain letters, numbers, and hyphens (-) and be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
At the [edit firewall family family-name filter filter-name] hierarchy level, the following statements are optional:
- accounting-profile
- interface-specific
- physical-interface-filter
Standard Firewall Filter Terms
Under the filter filter-name statement, you can include term term-name statements to create and name filter terms.
- You must configure at least one term in a firewall filter.
- You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).
- The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they are configured. By default, new terms are always added to the end of the existing filter. You can use the insert configuration mode command to reorder the terms of a firewall filter.
At the [edit firewall family family-name filter filter-name term term-name] hierarchy level, the filter filter-name statement is not valid in the same term as from or then statements. When included at this hierarchy level, the filter filter-name statement is used to nest firewall filters.
Standard Firewall Filter Match Conditions
Standard firewall filter match conditions are specific to the type of traffic being filtered.
With the exception of MPLS-tagged IPv4 or IPv6 traffic, you specify the term’s match conditions under the from statement. For MPLS-tagged IPv4 traffic, you specify the term’s IPv4 address-specific match conditions under the ip-version ipv4 statement and the term’s IPv4 port-specific match conditions under the protocol (tcp | udp) statement.
For MPLS-tagged IPv6 traffic, you specify the term’s IPv6 address-specific match conditions under the ip-version ipv6 statement and the term’s IPv6 port-specific match conditions under the protocol (tcp | udp) statement.
Table 1 describes the types of traffic for which you can configure standard stateless firewall filters.
Table 1: Standard Firewall Filter Match Conditions by Protocol Family
Traffic Type | Hierarchy Level at Which Match Conditions Are Specified |
|---|---|
Protocol-independent | [edit firewall family any filter filter-name term term-name] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for Protocol-Independent Traffic. |
IPv4 | [edit firewall family inet filter filter-name term term-name] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for IPv4 Traffic. |
IPv6 | [edit firewall family inet6 filter filter-name term term-name] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for IPv6 Traffic. |
MPLS | [edit firewall family mpls filter filter-name term term-name] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for MPLS Traffic. |
IPv4 addresses in MPLS flows | [edit firewall family mpls filter filter-name term term-name ip-version ipv4 ] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
IPv4 ports in MPLS flows | [edit firewall family mpls filter filter-name term term-name ip-version ipv4 protocol (tcp | udp)] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
IPv6 addresses in MPLS flows | [edit firewall family mpls filter filter-name term term-name ip-version ipv6 ] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
IPv6 ports in MPLS flows | [edit firewall family mpls filter filter-name term term-name ip-version ipv6 protocol (tcp | udp)] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic. |
VPLS | [edit firewall family vpls filter filter-name term term-name] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for VPLS Traffic. |
Layer 2 CCC | [edit firewall family ccc filter filter-name term term-name] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic. |
Layer 2 Bridging (MX Series routers only) | [edit firewall family bridge filter filter-name term term-name] For the complete list of match conditions, see Standard Firewall Filter Match Conditions for Layer 2 Bridging Traffic. |
If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see IPv6 Overviewand Supported IPv6 Standards.
Standard Firewall Filter Actions
Under the then statement for a standard stateless firewall filter term, you can specify the actions to be taken on a packet that matches the term.
Table 2 summarizes the types of actions you can specify in a standard stateless firewall filter term.
Table 2: Standard Firewall Filter Action Categories
Type of Action | Description | Comment |
|---|---|---|
Terminating | Halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are used to examine the packet. You can specify only one terminating action in a standard firewall filter. You can, however, specify one terminating action with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog. | |
Nonterminating | Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet. | All nonterminating actions include an implicit accept action. This accept action is carried out if no other terminating action is configured in the same term. |
Flow control | For standard stateless firewall filters only, the next term action directs the router to perform configured actions on the packet and then, rather than terminate the filter, use the next term in the filter to evaluate the packet. If the next term action is included, the matching packet is evaluated against the next term in the firewall filter. Otherwise, the matching packet is not evaluated against subsequent terms in the firewall filter. For example, when you configure a term with the nonterminating action count, the term’s action changes from an implicit discard to an implicit accept. The next term action forces the continued evaluation of the firewall filter. | You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term. A maximum of 1024 next term actions are supported per standard stateless firewall filter configuration. If you configure a standard filter that exceeds this limit, your candidate configuration results in a commit error. |
Related Documentation
- J, M, MX, PTX, SRX, T Series
- Guidelines for Applying Standard Firewall Filters
- Understanding How to Use Standard Firewall Filters
Published: 2014-10-14
Related Documentation
- J, M, MX, PTX, SRX, T Series
- Guidelines for Applying Standard Firewall Filters
- Understanding How to Use Standard Firewall Filters
