Policy Framework Configuration Guide - Juniper Networks

Chapter 8: Introduction to Firewall Filters
If a packet arrives on an interface and a firewall filter is not configured for the incoming
traffic on that interface, the packet is accepted by default.
Match Conditions
Match conditions are the fields or values that the packet must contain. You can define
various match conditions, including the IP source address field, IP destination address
field, TCP or User Datagram Protocol UDP source port field, IP protocol field, Internet
Control Message Protocol (ICMP) packet type, IP options, TCP flags, incoming logical or
physical interface, and outgoing logical or physical interface.
Actions
Within a single term, all the match conditions configured must match the packet before
the configured action is taken on the packet. For a single match condition configured
with multiple values, such as a range of values, only one of the values must match the
packet before the match occurs and the configured action is taken on the packet.
Actions fall into the following categories:
• Terminating—A terminating action halts all evaluation of a firewall filter for a specific
packet. The router performs the specified action, and no additional terms are examined.
• Nonterminating
• Actions—Nonterminating actions are used to perform other functions on a packet,
such as incrementing a counter, logging information about the packet header,
sampling the packet data, or sending information to a remote host using the system
log functionality.
• Next Term—The action next term enables the router to perform configured actions
on the packet and then evaluate the following term in the filter, rather than
terminating the filter. If the next term action is included, the matching packet is then
evaluated against the next term in the firewall filter; otherwise, the matching packet
is not evaluated against subsequent terms in the firewall filter. For example, when
you configure a term with the action modifier count, the term’s action changes from
an implicit discard to an implicit accept. The next term action forces the continued
evaluation of the firewall filter.
Terminating and nonterminating actions that are configured within a single term are all
taken on traffic that matches the conditions configured.
Application Points
After you define the firewall filter, you must apply it to an application point. These
application points include logical interfaces, physical interfaces, routing interfaces, and
routing instances. In most cases, you can apply a firewall filter as an input filter or an
output filter, or both at the same time. Input filters take action on packets being received
on the specified interface, whereas output filters take action on packets that are
transmitted through the specified interface. You typically apply one filter with multiple
terms to a single logical interface, to incoming traffic, outbound traffic, or both. However,
there are times when you might want to chain multiple firewall filters (with single or
multiple terms) together and apply them to an interface. You use an input list to apply
Copyright © 2010, Juniper Networks, Inc.
185