Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Guidelines for Applying Standard Firewall Filters

Applying Firewall Filters Overview

You can apply a standard firewall filter to a loopback interface on the router or to a physical or logical interface on the router. You can apply a firewall filter to a single interface or to multiple interfaces on the router.Table 1 summarizes the behavior of firewall filters based on the point to which you attach the filter.

Table 1: Firewall Filter Behavior by Filter Attachment Point

Filter Attachment Point

Filter Behavior

Loopback interface

The router’s loopback interface, lo0, is the interface to the Routing Engine and carries no data packets. When you apply a firewall filter to the loopback interface, the filter evaluates the local packets received or transmitted by the Routing Engine.

Physical interface or logical interface

When you apply a filter to a physical interface on the router or to a logical interface (or member of an aggregated Ethernet bundle defined on the interface), the filter evaluates all data packet that pass through that interface.

Multiple interfaces

You can use the same firewall filter one or more times.

On certain routers, interfaces are distributed among multiple packet-forwarding components. On these routers, you can configure firewall filters and service filters that, when applied to multiple interfaces, act on the individual traffic streams entering or exiting each interface, regardless of the sum of traffic on the multiple interfaces.

For more information, see Interface-Specific Firewall Filter Instances Overview.

Single interface with    protocol-independent and protocol-specific firewall filters attached

For interfaces on supported hardware you can attach a protocol-independent (family any) firewall filter and a protocol-specific (family inet or family inet6) firewall filter simultaneously. The protocol-independent firewall executes first.

Statement Hierarchy for Applying Firewall Filters

To apply a standard firewall filter to a logical interface, configure the filter statement for the logical interface defined under either the [edit] or [edit logical-systems logical-system-name] hierarchy level. Under the filter statement, you can include one or more of the following statements: group group-number, input filter-name, input-list filter-name, output filter-name, or output-list filter-name. The hierarchy level at which you attach the filter statement depends on the filter type and device type you are configuring.

Protocol-Independent Firewall Filters on MX Series Routers

To apply a protocol-independent firewall filter to a logical interface on an MX Series router, configure the filter statement directly under the logical unit:

All Other Firewall Filters on Logical Interfaces

To apply a standard firewall filter to a logical interface for all cases other than a protocol-independent filter on an MX Series router, configure the filter statement under the protocol family:

Restrictions on Applying Firewall Filters

Number of Input and Output Filters Per Logical Interface

Input filters—Although you can use the same filter multiple times, you can apply only one input filter or one input filter list to an interface.

  • To specify a single firewall filter to be used to evaluate packets received on the interface, include the input filter-name statement in the filter stanza.

  • To specify an ordered list of firewall filters to be used to evaluate packets received on the interface, include the input-list [ filter-names ] statement in the filter stanza. You can specify up to 16 firewall filters for the filter input list.

Output filters—Although you can use the same filter multiple times, you can apply only one output filter or one output filter list to an interface.

  • To specify a single firewall filter to be used to evaluate packets transmitted on the interface, include the output filter-name statement in the filter stanza.

  • To specify an ordered list of firewall filters to be used to evaluate packets transmitted on the interface, include the output-list [ filter-names ] statement in the filter stanza. You can specify up to 16 firewall filters in a filter output list.

MPLS and Layer 2 CCC Firewall Filters in Lists

The input-list filter-names and output-list filter-names statements for firewall filters for the ccc and mpls protocol families are supported on all interfaces with the exception of the following:

  • Management interfaces and internal Ethernet interfaces (fxp or em0)

  • Loopback interfaces (lo0)

  • USB modem interfaces (umd)

Platform-Specific Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific behavior for your platform:

Platform

Difference

ACX Series Routers

  • When filter attachment point is - Single interface with protocol-independent and protocol-specific firewall filters attached - For interfaces hosted on ACX Series Universal Metro Router you can attach a protocol-independent (family any) firewall filter and a protocol-specific (family inet or family inet6) firewall filter simultaneously. The protocol-independent firewall executes first.

  • ACX5048 and ACX5096 routers do not support the evaluation of packets transmitted by the Routing engine for loopback interface filter.

MX Series Routers

  • When filter attachment point is - Single interface with protocol-independent and protocol-specific firewall filters attached - For interfaces hosted on Modular Interface Cards (MICs) and Modular Port Concentrators (MPCs) in MX Series 5G Universal Routing Platforms you can attach a protocol-independent (family any) firewall filter and a protocol-specific (family inet or family inet6) firewall filter simultaneously. The protocol-independent firewall executes first. Interfaces hosted on FPC2 and FPC3 modules in MX Series routers do not support protocol-independent firewall filters.

  • On MX Series routers, interfaces are distributed among multiple packet-forwarding components. On these routers, you can configure firewall filters and service filters that, when applied to multiple interfaces, act on the individual traffic streams entering or exiting each interface, regardless of the sum of traffic on the multiple interfaces. For more information, see Interface-Specific Firewall Filter Instances Overview.

  • Restrictions on Applying Firewall Filters - Layer 2 CCC Firewall Filters on MX Series Routers - You cannot apply a Layer 2 CCC stateless firewall filter (a firewall filter configured at the [edit firewall filter family ccc] hierarchy level) as an output filter. Firewall filters configured for the family ccc statement can be applied only as input filters.

PTX Platforms

  • Interfaces hosted on PTX Series Packet Transport Routers do not support protocol-independent firewall filters.

  • Restrictions on Applying Firewall Filters - IPv6 Firewall Filters on PTX Series Packet Transport Router -

    On PTX10001-20C routers, you cannot apply IPv6 firewall filters to:

    • Tunnel interfaces

    • IRB interfaces

    • Egress interfaces

    • Interface-specific filters, configured at the [edit firewall family inet6 filter filter-name] hierarchy level.

    • Traffic policers

    • Junos Telemetry Interfac

EX Series Switches

Restrictions on Applying Firewall Filters - Layer 2 CCC Firewall Filters on EX Switches - You cannot apply a Layer 2 CCC stateless firewall filter (a firewall filter configured at the [edit firewall filter family ccc] hierarchy level) as an output filter. Firewall filters configured for the family ccc statement can be applied only as input filters.

Related Documentation