Skip to Main Content
JUNOS High Availability
book

JUNOS High Availability

by James Sonderegger, Orin Blomberg, Kieran Milne, Senad Palislamovic
August 2009
Intermediate to advanced content levelIntermediate to advanced
690 pages
20h 14m
English
O'Reilly Media, Inc.
Content preview from JUNOS High Availability

Firewall Filters

A firewall is a fundamental component in securing any network. Devices running JUNOS Software can filter packets at line rate based on their contents, and perform an action on packets that match the filter.

Firewall Filter Syntax

JUNOS devices filter traffic based on straightforward if-then logic. That is, if an incoming packet matches a given filter parameter, then the device takes some action on that packet.

Here is a basic example of the syntax and structure of firewall filter configuration:

[edit]
lab@r1# show firewall
family inet {
    filter samplefilter {
        term A {
            from {
                source-address {
                    192.168.1.0/24;
                }
            }
            then accept;
        }
    }
}

Note

A firewall filter doesn’t actually filter traffic until it is applied to an interface. We cover this later in this chapter.

Firewall filters are defined at the firewall family hierarchy level. You can define filters for IPv4, IPv6, or Multiprotocol Label Switching (MPLS), or they can be protocol-independent. Each filter must have its own name, and each filter has one or more terms. A filter can also refer to another filter. In the previous example, a filter called samplefilter has one term, called A.

The following sections explain the remaining components of firewall filters.

Match conditions

The from statement in a firewall filter specifies the conditions the packet must match for the related action to be taken. Match conditions can include any combination of source and destination addresses, protocol numbers, and ports, as well as specific ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Network Performance Baselining

Network Performance Baselining

Daniel Nassar
Cisco Catalyst QoS: Quality of Service in Campus Networks

Cisco Catalyst QoS: Quality of Service in Campus Networks

Mike Flannagan - CCIE® No. 7651, Richard Froom - CCIE No. 5102, Kevin Turek - CCIE No. 7284
Juniper Networks® Field Guide and Reference

Juniper Networks® Field Guide and Reference

Aviva Garrett, Gary Drenan, Cris Morris, Juniper Networks®
Juniper Networks® Reference Guide: JUNOS™ Routing, Configuration, and Architecture

Juniper Networks® Reference Guide: JUNOS™ Routing, Configuration, and Architecture

Thomas M. Thomas II, Doris Pavlichek, Lawrence H. Dwyer III, Rajah Chowbay, Wayne W. Downing III, James Sonderegger

Publisher Resources

ISBN: 9780596805449Errata Page