Firewall Filters

A firewall is a fundamental component in securing any network. Devices running JUNOS Software can filter packets at line rate based on their contents, and perform an action on packets that match the filter.

Firewall Filter Syntax

JUNOS devices filter traffic based on straightforward if-then logic. That is, if an incoming packet matches a given filter parameter, then the device takes some action on that packet.

Here is a basic example of the syntax and structure of firewall filter configuration:

[edit]
lab@r1# show firewall
family inet {
    filter samplefilter {
        term A {
            from {
                source-address {
                    192.168.1.0/24;
                }
            }
            then accept;
        }
    }
}

Note

A firewall filter doesn’t actually filter traffic until it is applied to an interface. We cover this later in this chapter.

Firewall filters are defined at the firewall family hierarchy level. You can define filters for IPv4, IPv6, or Multiprotocol Label Switching (MPLS), or they can be protocol-independent. Each filter must have its own name, and each filter has one or more terms. A filter can also refer to another filter. In the previous example, a filter called samplefilter has one term, called A.

The following sections explain the remaining components of firewall filters.

Match conditions

The from statement in a firewall filter specifies the conditions the packet must match for the related action to be taken. Match conditions can include any combination of source and destination addresses, protocol numbers, and ports, as well as specific ...

Get JUNOS High Availability now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

JUNOS High Availability by James Sonderegger, Orin Blomberg, Kieran Milne, Senad Palislamovic

Firewall Filters