- Related Topics
- Firewall Filter Configuration Statements Supported by JUNOS Software for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
- Understanding Firewall Filter Match Conditions
- Understanding How Firewall Filters Are Evaluated
- Understanding How Firewall Filters Test a Packet's Protocol
- Understanding the Use of Policers in Firewall Filters
- Understanding Filter-Based Forwarding for EX Series Switches
Firewall Filter Match Conditions and Actions for EX Series Switches
Each term in a firewall filter consists of match conditions and an action. Match conditions are the values or fields that a packet must contain. You can define multiple, single, or no match conditions. If no match conditions are specified for the term, all packets are matched by default. The action is the action that the switch takes if a packet matches the match conditions for the specific term. Allowed actions are accept a packet or discard a packet. In addition, you can specify action modifiers to count, mirror, rate limit, and classify packets.
For each firewall filter, you define the terms that specify the filtering criteria (match conditions) to apply to packets and the action for the switch to take if a match occurs.
Table 1 describes the match conditions you can specify when configuring a firewall filter. The string that defines a match condition is called a match statement. All match conditions are applicable to IPv4 traffic. The match conditions are not applicable to IPv6 traffic.
Table 1: Supported Match Conditions for Firewall Filters on EX Series Switches
Match Condition |
Description |
Supported Platforms and Bind Points |
|
|---|---|---|---|
Ingress |
Egress |
||
destination-address |
IP destination address field, which is the address of the final destination node. |
|
|
destination-mac-address mac-address |
Destination media access control (MAC) address of the packet. |
|
|
destination-port number |
TCP or User Datagram Protocol (UDP) destination port field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is used on the port. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813),radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), |
|
|
tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104) |
|||
destination-prefix-list prefix-list |
IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You make this definition at the [edit policy-options] hierarchy level. |
|
|
dot1q-tag number |
The tag field in the Ethernet header. The tag values can be 1–4095. |
|
|
dot1q-user-priority number |
User-priority field of the tagged Ethernet packet. User-priority values can be 0–7. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
|
dscp number |
Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
|
ether-type [ipv4 | arp | mpls | dot1q | value] |
Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms:
|
|
|
fragment-flags fragment-flags |
IP fragmentation flags, specified in symbolic or hexadecimal formats. You can specify one of the following options: dont-fragment (0x4000), more-fragments (0x2000), or reserved (0x8000) |
|
|
icmp-code number |
ICMP code field. This value or option provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The options are grouped by the ICMP type with which they are associated:
|
|
|
icmp-type number |
ICMP packet type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), unreachable (3) |
|
|
interface interface-name |
Interface on which the packet is received. You can specify the wildcard character (*) as part of an interface name. Note: An interface from which a packet is sent cannot be used as a match condition. |
|
|
ip-options |
Presence of the options field in the IP header. |
|
|
is-fragment |
If the packet is a trailing fragment. This match condition does not match the first fragment of a fragmented packet. Use two terms to match both first and trailing fragments. |
|
|
packet-length bytes |
Length of the received packet, in bytes. Note: packet-length is not supported on EX3200 and EX4200 switches. |
|
|
precedence precedence |
IP precedence. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
|
protocol list of protocols |
IPv4 protocol value. In place of the numeric value, you can specify one of the following text synonyms: egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ospf (89), pim (103), rsvp (46), tcp (6), udp (17) |
|
|
source-address |
IP source address field, which is the address of the source node sending the packet. |
|
|
source-mac-address mac-address |
Source MAC address. |
|
|
source-port number |
TCP or UDP source-port field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric field, you can specify one of the text synonyms listed under destination-port. |
|
|
source-prefix-list prefix-list |
IP source prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You make this definition at the [edit policy-options] hierarchy level. |
|
|
tcp-established |
TCP packets of an established TCP connection. This condition matches packets other than the first packet of a connection. tcp-established is a synonym for the bit names "(ack | rst)". tcp-established does not implicitly check whether the protocol is TCP. To do so, specify the protocol tcp match condition. |
|
|
tcp-flags [flags tcp-initial] |
One or more TCP flags:
To specify multiple flags, use logical operators. |
|
|
tcp-initial |
Match the first TCP packet of a connection. tcp-initial is a synonym for the bit names "(syn & !ack)". tcp-initial does not implicitly check whether the protocol is TCP. To do so, specify the protocol tcp match condition. |
|
|
ttl value |
TTL type to match. The value can be 1–255. |
|
|
vlan [vlan-name | vlan-id] |
The VLAN that is associated with the packet. |
|
|
Some of the numeric range and bit-field match conditions allow you to specify a text synonym. For a list of all the synonyms for a match condition, do any of the following:
- If you are using the J-Web Filters Configuration page, select the synonym from the appropriate list.
- If you are using the CLI, type a question mark (?) after the from statement.
To specify the bit-field value to match, you must enclose the values in quotation marks (" "). For example, a match occurs if the RST bit in the TCP flags field is set:
For information about logical operators and how to use bit-field logical operations to create expressions that are evaluated for matches, see Understanding Firewall Filter Match Conditions.
When you define one or more terms that specify the filtering criteria, you also define the action to take if the packet matches all criteria. Table 2 shows the actions that you can specify in a term.
Table 2: Actions for Firewall Filters
In addition to the actions, you can specify action modifiers. Table 3 shows the action modifers that you can specify in a term.
Table 3: Action Modifiers for Firewall Filters
 |
Note: On EX Series switches, accept and discard are the only actions supported for firewall filters applied on loopback interfaces. |