Juniper Firewall Filters

published: 23rd of February 2019

Overview

Firewall filters are similar to access control lists (ACLs). Firewall filters are stateless and inspect each packet individually. Because they are stateless traffic must be allowed in both directions.

Configuration

Routing policies and firewall filters have a common structure. Firewall filters are configured under the firewall hierarchy section and are configured per-protocol family type.

Filters contain a list of terms that are groups of match and action statements which define how packets are processed.

config 
firewall {
    family PROTOCOL-FAMILY {
        filter FW-FILTER-NAME {
            term TERM-NAME {
                from {
                    MATCH-CONDITIONS;
                }
                then {
                    ACTIONS;
                }
            }
        }
    }
}

The following rules must be observed when configuring terms in a firewall filter policy.

  • The filter must contain at least one term
  • Terms are evaluated in the order they are defined
  • Each term must have a unique name

Match Conditions

Match conditions generally fall into three categories.

  • Numeric Range
  • Address
  • Bit-field match

Actions

As with routing policy there are a number of actions available when processing firewall filters.

  • Terminating actions
  • Flow control
  • Action modifiers

Terminating actions

Terminating actions halt the processing of the firewall filter. There are three terminating actions.

  • accept - Accepts the traffic
  • reject - Drop the traffic and send ICMP unreachable / administratively prohibited message
  • discard - Silently drop to the traffic
Note
A term that has a match clause but does not contain a terminating action has an implicit accept terminating action.
Note
Firewall filters have a final implicit discard terminating action if no other terminating actions are defined.

Flow Control

The next-term flow control statement is used to force processing of the policy to move to the next term stanza in the policy.

Action Modifiers

Actions modifiers allow the addition of things like count , log and syslog processing to a terminating action.

Note
Action modifiers have an implicit accept terminating action.

Apply Firewall Filters

Firewall filters can be applied in both the inbound and out bound directions.

The protocol family for the firewall filter and the interface must match.

An input-list or output-list can be used to apply multiple firewall filters to an interface.

Transit firewall filters act on traffic flowing from one interface to another within a device.

Firewall filters can be applied to the lo0 interface to protect the RE from unauthorized traffic. Evaluation of these filters is performed by the PFE and is not processed by the RE.

Bibliography

1. Author Unknown (2012) JNCIA-Junos Study Guide-Part 2. Juniper Networks

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-overview.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-guidelines-for-configuring.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-stateless-evaluate-packets.html