Firewall Filter Match Conditions for IPv4 Traffic

Match the IPv4 source or destination address field unless the except option is included. If the option is included, do not match the IPv4 source or destination address field.

(M Series routers, except M120 and M320) Match the IPsec authentication header (AH) security parameter index (SPI) value.

(M Series routers, except M120 and M320) Do not match the IPsec AH SPI value.

Match the IPv4 destination address field unless the except option is included. If the option is included, do not match the IPv4 destination address field.

You cannot specify both the address and destination-address match conditions in the same term.

Match one or more specified destination class names (sets of destination prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes.

Do not match one or more specified destination class names. For details, see the destination-class match condition.

Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

When configuring port based matches you must also configure the protocol udp or protocol tcp match statement in the same filter term. However, omitting the protocol match can be useful when you want to match a specific port across multiple protocols (for example, port 53 for DNS over both UDP and TCP).

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

Match source or destination ports in the specified named port list.

Do not match the UDP or TCP destination port field. For details, see the destination-port match condition.

Match destination ports in the specified named port list

Match destination prefixes in the specified list unless the except option is included. If the option is included, do not match the destination prefixes in the specified list.

Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

Support was added for filtering on Differentiated Services Code Point (DSCP) and forwarding class for Routing Engine sourced packets, including IS-IS packets encapsulated in generic routing encapsulation (GRE). Subsequently, when upgrading from a previous version of Junos OS where you have both a class of service (CoS) and firewall filter, and both include DSCP or forwarding class filter actions, the criteria in the firewall filter automatically takes precedence over the CoS settings. The same is true when creating new configurations; that is, where the same settings exist, the firewall filter takes precedence over the CoS, regardless of which was created first.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

• RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

• RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

  • af11 (10), af12 (12), af13 (14)

  • af21 (18), af22 (20), af23 (22)

  • af31 (26), af32 (28), af33 (30)

  • af41 (34), af42 (36), af43 (38)

Do not match on the DSCP number. For more information, see the dscp match condition.

Match the IPsec encapsulating security payload (ESP) SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form.

Match the IPsec ESP SPI value. Do not match on this specific SPI value.

Match if the packet is the first fragment of a fragmented packet. Do not match if the packet is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0.

This match condition is an alias for the bit-field match condition fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment.

Match first byte of payload value. Match condition can only be applied in the ingress direction.

Does not work on the egress binding of the firewall filter. Supported on INET, INET6 and ANY firewall filter families only.

Not supported on FFT filter and egress FLT filter.

Do not match specified first byte of payload value. Match condition can only be applied in the ingress direction.

Does not work on the egress binding of the firewall filter. Supported on INET, INET6 and ANY firewall filter families only.

Not supported on FFT filter and egress FLT filter.

Length of the data to be matched in bits, not needed for string input (0..128)

Bit offset after the (match-start + byte) offset (0..7)

Byte offset after the match start point

Select a flexible match from predefined template field

Mask out bits in the packet data to be matched

Start point to match in packet

Value data/string to be matched

Length of the data to be matched in bits (0..32)

Bit offset after the (match-start + byte) offset (0..7)

Byte offset after the match start point

Select a flexible match from predefined template field

Start point to match in packet

Range of values to be matched

Do not match this range of values

Match the forwarding class of the packet.

Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues.

Do not match the forwarding class of the packet. For details, see the forwarding-class match condition.

(Ingress only) Match the three-bit IP fragmentation flags field in the IP header.

In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8).

Match the 13-bit fragment offset field in the IP header. The value is the offset, in 8-byte units, in the overall datagram message to the data fragment. Specify a numeric value, a range of values, or a set of values. An offset value of 0 indicates the first fragment of a fragmented packet.

The first-fragment match condition is an alias for the fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

Do not match the 13-bit fragment offset field.

Match the gre-key field. The GRE key field is a 4 octet number inserted by the GRE encapsulator. It is an optional field for use in GRE encapsulation. The range can be a single GRE key number or a range of key numbers.

For MX Series routers with MPCs, initialize new firewall filters that include this condition by walking the corresponding SNMP MIB.

Match the ICMP message code field.

term match-icmp-unreachable {
            from {
                protocol icmp;
                icmp-type destination-unreachable;
                icmp-code host-unreachable;
            }    
         }

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

• parameter-problem: ip-header-bad (0), required-option-missing (1)

• redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

• time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

• unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

Do not match the ICMP message code field. For details, see the icmp-code match condition.

Match the ICMP message type field.

term match-icmp-echo {
            from {
                        protocol icmp;
               icmp-type echo-request;
            }
          }

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

Do not match the ICMP message type field. For details, see the icmp-type match condition.

Match the interface on which the packet was received.

Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255.

To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level.

For more information, see Filtering Packets Received on a Set of Interface Groups Overview.

Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition.

Match the interface on which the packet was received to the specified interface set.

To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level.

For more information, see Filtering Packets Received on an Interface Set Overview.

Match the 8-bit IP option field, if present, to the specified value or list of values.

In place of a numeric value, you can specify one of the following text synonyms (the option values are also listed): loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68).

To match any value for the IP option, use the text synonym any. To match on multiple values, specify the list of values within square brackets ('[’ and ']’). To match a range of values, use the value specification [ value1-value2 ].

For example, the match condition ip-options [ 0-147 ] matches on an IP options field that contains the loose-source-route, record-route, or security values, or any other value from 0 through 147. However, this match condition does not match on an IP options field that contains only the router-alert value (148).

For most interfaces, a filter term that specifies an ip-option match on one or more specific IP option values (a value other than any) causes packets to be sent to the Routing Engine so that the kernel can parse the IP option field in the packet header.

• For a firewall filter term that specifies an ip-option match on one or more specific IP option values, you cannot specify the count, log, or syslog nonterminating actions unless you also specify the discard terminating action in the same term. This behavior prevents double-counting of packets for a filter applied to a transit interface on the router.

• Packets processed on the kernel might be dropped in case of a system bottleneck. To ensure that matched packets are instead sent to the Packet Forwarding Engine (where packet processing is implemented in hardware), use the ip-options any match condition.

Do not match the IP option field to the specified value or list of values. For details about specifying the values, see the ip-options match condition.

Using this condition causes a match if the More Fragments flag is enabled in the IP header and if the fragment offset is not zero.

On MX Series Routers, is-fragment matches all fragments, that is, first fragment (fragment-offset = 0), last fragment (more-fragments = 0), and all fragments between the first and last fragment.

Match the packet loss priority (PLP) level.

Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Do not match the PLP level. For details, see the loss-priority match condition.

Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched.

Do not match the length of the received packet, in bytes. For details, see the packet-length match type.

Match the payload of the packet with this source IPv4 address.

Match the payload of the packet with this destination IPv4 address.

Match the payload of the packet with this source MAC address.

Match the payload of the packet with this destination MAC address.

Match traffic based on the applied policy-mapname(e.g., hierarchical policer or forwarding policies).

Match the UDP or TCP source or destination port field.

If you configure this match condition, you cannot configure the destination-port match condition or the source-port match condition in the same term.

When configuring port based matches you must also configure the protocol udp or protocol tcp match statement in the same filter term. However, omitting the protocol match can be useful when you want to match a specific port across multiple protocols.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

Do not match either the source or destination UDP or TCP port field. For details, see the port match condition.

Match the IP precedence field.

In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form.

Do not match the IP precedence field.

In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form.

Match the prefixes of the source or destination address fields to the prefixes in the specified list unless the except option is included. If the option is included, do not match the prefixes of the source or destination address fields to the prefixes in the specified list.

The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

Do not match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

Match the radio-access technology (RAT) type specified in the 8-bit Tech-Type field of Proxy Mobile IPv4 (PMIPv4) access technology type extension. The technology type specifies the access technology through which the mobile device is connected to the access network.

Specify a single value, a range of values, or a set of values. You can specify a technology type as a numeric value from 0 through 255 or as a system keyword.

• The following numeric values are examples of well-known technology types:

  • Numeric value 1 matches IEEE 802.3.

  • Numeric value 2 matches IEEE 802.11a/b/g.

  • Numeric value 3 matches IEEE 802.16e

  • Numeric value 4 matches IEEE 802.16m.

• Text string eutran matches 4G.

• Text string geran matches 2G.

• Text string utran matches 3G.

Do not match the RAT Type.

Match traffic based on the forwarding redirect reason. You can specify individual values or multiple values within square brackets.

Supported values: aoc - Advice of Charge aolb - Advice of Low Balance dpi - Layer7 match required

Syntax: redirect-reason value redirect-reason [ value1 value2 value3]

Use cases:

• aoc - Used in service provider environments for matching traffic that requires advice of charge notifications, typically for billing systems integration
• aolb - Used to identify traffic requiring advice of low balance notifications, common in prepaid service scenarios
• dpi - Used when deep packet inspection classification is required, often for advanced traffic analysis or security processing

Examples:

term match-billing {
    from {
        redirect-reason aoc;
    }
}

term match-prepaid {
    from {
        redirect-reason aolb;
    }
}

term match-inspection {
    from {
        redirect-reason dpi;
    }
}

term match-multiple {
    from {
        redirect-reason [ aoc aolb ];
    }
}

Match a packet received from a filter where a service-filter-hit action was applied.

Match the IPv4 address of the source node sending the packet unless the except option is included. If the option is included, do not match the IPv4 address of the source node sending the packet.

You cannot specify both the address and source-address match conditions in the same term.

Match one or more specified source class names (sets of source prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes.

Do not match one or more specified source class names. For details, see the source-class match condition.

Match the UDP or TCP source port field.

You cannot specify the port and source-port match conditions in the same term.

When configuring port based matches you must also configure the protocol udp or protocol tcp match statement in the same filter term. However, omitting the protocol match can be useful when you want to match a specific port across multiple protocols.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

Do not match the UDP or TCP source port field. For details, see the source-port match condition.

Match source ports in the specified named port list.

Match source prefixes in the specified list unless the except option is included. If the option is included, do not match the source prefixes in the specified list.

Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

Match TCP packets of an established TCP session (packets other than the first packet of a connection). This is an alias for tcp-flags "(ack | rst)".

This match condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition.

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

• fin (0x01)

• syn (0x02)

• rst (0x04)

• push (0x08)

• ack (0x10)

• urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions.

If you configure this match condition, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port.

For IPv4 traffic only, this match condition does not implicitly check whether the datagram contains the first fragment of a fragmented packet. To check for this condition for IPv4 traffic only, use the first-fragment match condition.

Match the initial packet of a TCP connection. This is an alias for tcp-flags "(!ack & syn)".

This condition does not implicitly check that the protocol is TCP. If you configure this match condition, we recommend that you also configure the protocol tcp match condition in the same term.

Match the IPv4 time-to-live number. Specify a TTL value or a range of TTL values. For number, you can specify one or more values from 0 through 255.

Do not match on the IPv4 TTL number. For details, see the ttl match condition.