Supported Platforms
Related Documentation
Example: Bypassing Firewall Filters
This example describes how to configure multiple filters using the service-filter-hit match/action combination and contains the following sections:
Before You Begin
When using the service-filter-hit match/action combination, keep the following in mind:
- The order in which the filters are applied is important. You can ensure the order in which the filters are processed by specifying a filter precedence value for the interface. See Defining Dynamic Filter Processing Order for more information about dynamic filter processing and how to use the precedence statement.
- The following example uses policers to further define the match conditions each filter uses. These filters are not described here. To better understand how to configure policers, see “Statement Hierarchy for Configuring Policers” in the Junos OS Firewall Filters and Traffic Policers Library for Routing Devices.
Filter Bypass Overview
Packets must pass through each filter in a chain. However, if you create a chain of filters to process different types of packets (for example, voice, video, and data packets), you can streamline the filter process, decreasing the amount of packet handling for each filter in the chain, effectively bypassing unnecessary filters, by using the service-filter-hit match/action combination at the [edit firewall family family-name filter filter-name term term-name] hierarchy level.
Figure 1 shows the logical processing flow through a chain of three filters (voice, video, and data) where only processing for a specific data type is desired. This configuration example shows an ingress filter flow. Though subsequent ingress filters in a chain can detect whether the service-filter-hit action is set, egress filters do not. To bypass egress filters, you must also configure the service-filter-hit match/action combination on those filters.
Figure 1: Logical Flow Example for Filter Bypass Processing
Configuring Filter Bypass
CLI Quick Configuration
To quickly configure this example:
Configuring the Voice Filter
Step-by-Step Procedure
To configure the voice filter for the logical flow in Figure 1:
- Configure the filter to apply the assured forwarding class
and set the service-filter-hit action for traffic from a
specific address and port range (over which voice traffic is expected).[edit]set firewall filter voice term T1 from address 1.1.1.1/32set firewall filter voice term T1 from source-port 5004-5005set firewall filter voice term T1 then forwarding-class assured-forwarding service-filter-hit accept
- Configure the filter default action to pass (accept) packet
traffic from any other address or port range.[edit]set firewall filter voice term default then accept
Configuring the Video Filter
Step-by-Step Procedure
To configure the video filter for the logical flow in Figure 1:
- Configure the filter to pass (accept) incoming packets
that are tagged by the service-filter-hit action.[edit]set firewall filter video term T1 from service-filter-hitset firewall filter video term T1 then accept
- Configure the filter to apply a video policer and set
the service-filter-hit action for traffic from a specific
address (over which video traffic is expected).[edit]set firewall filter video term T2 from source-address 10.10.10.10/32set firewall filter video term T2 then policer video-policer service-filter-hit accept
- Configure the filter default action to pass (accept) packet
traffic from any other address or port range.[edit]set firewall filter video term default then accept
Configuring the Data Filter
Step-by-Step Procedure
To configure the data filter for the logical flow in Figure 1:
- Configure the filter to pass (accept) incoming packets
that are tagged by the service-filter-hit action.[edit]set firewall filter data term T1 from service-filter-hitset firewall filter data term T1 then accept
- Configure the filter to apply a data policer and set the service-filter-hit action for traffic from a specific address
(over which video traffic is expected).[edit]set firewall filter data term T2 then policer data-policer service-filter-hit accept
Results
Display the results of the configuration:
