Firewall filters provide a means of protecting your router (and switch) from excessive traffic transiting the router (and switch) to a network destination or destined for the Routing Engine. Firewall filters that control local packets can also protect your router (and switch) from external incidents.

You can configure a firewall filter to do the following:

  • Restrict traffic destined for the Routing Engine based on its source, protocol, and application.
  • Limit the traffic rate of packets destined for the Routing Engine to protect against flood, or denial-of-service (DoS) attacks.
  • Address special circumstances associated with fragmented packets destined for the Routing Engine. Because the device evaluates every packet against a firewall filter (including fragments), you must configure the filter to accommodate fragments that do not contain packet header information. Otherwise, the filter discards all but the first fragment of a fragmented packet.

Statement Hierarchy for Configuring Firewall Filters

To configure a standard firewall filter, you can include the following statements. For an IPv4 standard firewall filter, the family inet statement is optional. For an IPv6 standard firewall filter, the family inet6 statement is mandatory.

You can include the firewall configuration at one of the following hierarchy levels:

• [edit]

• [edit logical-systems logical-system-name]

Firewall Filter Protocol Families

A firewall filter configuration is specific to a particular protocol family. Under the firewall statement, include one of the following statements to specify the protocol family for which you want to filter traffic:

  • family any—To filter protocol-independent traffic.
  • family inet—To filter Internet Protocol version 4 (IPv4) traffic.
  • family inet6—To filter Internet Protocol version 6 (IPv6) traffic.
  • family mpls—To filter MPLS traffic.
  • family vpls—To filter virtual private LAN service (VPLS) traffic.
  • family ccc—To filter Layer 2 circuit cross-connection (CCC) traffic.
  • family bridge—To filter Layer 2 bridging traffic for MX Series 3D Universal Edge Routers only.
  • family ethernet-switching—To filter Layer 2 (Ethernet) traffic

The family family-name statement is required only to specify a protocol family other than IPv4. To configure an IPv4 firewall filter, you can configure the filter at the [edit firewall] hierarchy level without including the family inet statement, because the [edit firewall] and [edit firewall family inet] hierarchy levels are equivalent.

NOTE: For bridge family filter, the ip-protocol match criteria is supported only for IPv4 and not for IPv6. This is applicable for line cards that support the Junos Trio chipset such as the MX 3D MPC line cards.

Firewall Filter Action Categories

Type of Action Description Comment
Terminating Halts all evaluation of a firewall filter for a specific packet. The router (or switch) performs the specified action, and no additional terms are used to examine the packet. You can specify only one terminating action in a firewall filter term. You can, however, specify one terminating action with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog. Regardless of the number of terms that contain terminating actions, once the system processes a terminating action within a term, processing of the entire firewall filter halts.  
Nonterminating Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet. All nonterminating actions include an implicit accept action. This accept action is carried out if no other terminating action is configured in the same term.
Flow control For standard firewall filters only, the next term action directs the router (or switch) to perform configured actions on the packet and then, rather than terminate the filter, use the next term in the filter to evaluate the packet. If the next term action is included, the matching packet is evaluated against the next term in the firewall filter. Otherwise, the matching packet is not evaluated against subsequent terms in the firewall filter. For example, when you configure a term with the nonterminating action count, the term’s action changes from an implicit discard to an implicit accept. The next term action forces the continued evaluation of the firewall filter. You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term. A maximum of 1024 next term actions are supported per standard firewall filter configuration. If you configure a standard firewall filter that exceeds this limit, your candidate configuration results in a commit error. NOTE: On Junos OS Evolved, next term cannot appear as the last term of the action. A filter term where next term is specified as an action but without any match conditions configured is not supported.


Applying Firewall Filters Overview

You can apply a standard firewall filter to a loopback interface on the router or to a physical or logical interface on the router. You can apply a firewall filter to a single interface or to multiple interfaces on the router. Table Below summarizes the behavior of firewall filters based on the point to which you attach the filter.

Firewall Filter Behavior by Filter Attachment Point

Filter Attachment Point Filter Behavior
Loopback interface The router’s loopback interface, lo0, is the interface to the Routing Engine and carries no data packets. When you apply a firewall filter to the loopback interface, the filter evaluates the local packets received or transmitted by the Routing Engine. NOTE: • ACX5048 and ACX5096 routers do not support the evaluation of packets transmitted by the Routing engine for loopback interface filter.
Physical interface or logical interface When you apply a filter to a physical interface on the router or to a logical interface (or member of an aggregated Ethernet bundle defined on the interface), the filter evaluates all data packet that pass through that interface.
Multiple interfaces You can use the same firewall filter one or more times. On M Series routers, except the M120 and M320 routers, if you apply a firewall filter to multiple interfaces, the filter acts on the sum of traffic entering or exiting those interfaces. On T Series, M120, M320, and MX Series routers, interfaces are distributed among multiple packet-forwarding components. On these routers, you can configure firewall filters and service filters that, when applied to multiple interfaces, act on the individual traffic streams entering or exiting each interface, regardless of the sum of traffic on the multiple interfaces
Single interface with protocol-independent and protocol-specific firewall filters attached For interfaces hosted on the following hardware only, you can attach a protocol-independent (family any) firewall filter and a protocol-specific (family inet or family inet6) firewall filter simultaneously. The protocol-independent firewall executes first. • ACX Series Universal Metro Routers • Flexible PIC Concentrators (FPCs) in M7i and M10i Multiservice Edge Routers • Modular Interface Cards (MICs) and Modular Port Concentrators (MPCs) in MX Series 5G Universal Routing Platforms • T Series Core Routers NOTE: Interfaces hosted on the following hardware do not support protocol-independent firewall filters: • Forwarding Engine Boards (FEBs) in M120 routers • Enhanced III FPCs in M320 routers • FPC2 and FPC3 modules in MX Series routers • Dense Port Concentrators (DPCs) in MX Series routers • PTX Series Packet Transport Routers

Statement Hierarchy for Applying Firewall Filters

To apply a standard firewall filter to a logical interface, configure the filter statement for the logical interface defined under either the [edit] or [edit logical-systems logical-system-name] hierarchy level. Under the filter statement, you can include one or more of the following statements: group group-number, input filter-name, input-list filter-name, output filter-name, or output-list filter-name. The hierarchy level at which you attach the filter statement depends on the filter type and device type you are configuring.

Protocol-Independent Firewall Filters on MX Series Routers

To apply a protocol-independent firewall filter to a logical interface on an MX Series router, configure the filter statement directly under the logical unit

All Other Firewall Filters on Logical Interfaces

To apply a standard firewall filter to a logical interface for all cases other than a protocol-independent filter on an MX Series router, configure the filter statement under the protocol family: