Firewall Filters

The Junos OS stateless firewall filters support a rich set of packet-matching criteria that you can use to match on specific traffic and perform specific actions, such as forwarding or dropping packets that match the criteria you specify. You can configure firewall filters to protect the local router or to protect another device that is either directly or indirectly connected to the local router. For example, you can use the filters to restrict the local packets that pass from the router’s physical interfaces to the Routing Engine. Such filters are useful in protecting the IP services that run on the Routing Engine, such as Telnet, SSH, and BGP, from denial-of-service attacks.

Service Filters

A service filter defines packet-filtering (a set of match conditions and a set of actions) for IPv4 or IPv6 traffic. You can apply a service filter to the inbound or outbound traffic at an adaptive services interface to perform packet filtering on traffic before it is accepted for service processing. You can also apply a service filter to the traffic that is returning to the services interface after service processing to perform postservice processing.

Service filters filter IPv4 and IPv6 traffic only and can be applied to logical interfaces on Adaptive Services PICs, MultiServices PICs, and MultiServices DPCs only. Service filters are not supported on J Series devices and Branch SRX devices.

Simple Filters

Simple filters are supported on Gigabit Ethernet intelligent queuing (IQ2) and Enhanced Queuing Dense Port Concentrator (EQ DPC) interfaces only. Unlike standard filters, simple filters support IPv4 traffic only and have a number of restrictions. For example, you cannot configure a terminating action for a simple filter. Simple filters always accept packets. Also, simple filters can be applied only as input filters. They are not supported on outbound traffic. Simple filters are recommended for metropolitan Ethernet applications.

Stateless Firewall Filter Components(EX Series)

Protocol Family

Under the firewall statement, you can specify the protocol family for which you want to filter traffic.

family ethernet-switching (for EX Series switches)

Filter Type

Under the family family-name statement, you can specify the type and name of the filter you want to configure.

Standard Firewall Filter – filter filter-name

• Protocol independent
• IPv4
• IPv6
• MPLS
• MPLS-tagged IPv4
• MPLS-tagged IPv6
• VPLS
• Layer 2 CCC
• Layer 2 bridging (MX Series routers and EX Series switches only)

Terms

Under the filter, service-filter, or simple-filter statement, you must configure at least one firewall filter term. A term is a named structure in which match conditions and actions are defined. Within a firewall filter, you must configure a unique name for each term.

All stateless firewall filters contain one or more terms, and each term consists of two components—match conditions and actions.

Match Conditions

A firewall filter term must contain at least one packet-filtering criteria, called a match condition, to specify the field or value that a packet must contain in order to be considered a match for the firewall filter term. For a match to occur, the packet must match all the conditions in the term. If a packet matches a firewall filter term, the router (or switch) takes the configured action on the packet.

Actions

The actions specified in a firewall filter term define the actions to take for any packet that matches the conditions specified in the term.

Actions that are configured within a single term are all taken on traffic that matches the conditions configured.

Default : accept

Example

set firewall family ethernet-switching filter ACL-12 term SSH from source-address 192.168.100.1/32
set firewall family ethernet-switching filter ACL-12 term SSH from destination-address 100.100.100.0/24
set firewall family ethernet-switching filter ACL-12 term SSH from protocol tcp
set firewall family ethernet-switching filter ACL-12 term SSH from destination-port 22
set firewall family ethernet-switching filter ACL-12 term SSH then accept

Applying filter to physical interface

interface : ge-0/0/12
filter-name : ACL-12

set interfaces ge-0/0/12 unit 0 family ethernet-switching filter input ACL-12