Firewall filters are the Junos version of an ACL. They are used to match traffic and apply an action. This can be for security (allow or deny traffic), but it can also be for a policy (such as a routing or CoS policy).
Generally, firewall filters are stateless. The SRX and MX platforms can support statful firewall filters as well.
Firewall filters contain terms. A term is an individual rule in the firewall filter.
Within a term, we have ‘from’ statements, which are used to match conditions (like source and destination addresses). Multiple from statements are fine, but they all need to match for an action to be applied.
Also within the term are ‘then’ statements. These apply actions to matching traffic. Actions include accept, reject, discard, log, count, sample, next-term, and others.
The ‘reject’ action will deny a packet and send an ICMP response. The ‘discard’ action will deny a packet silently.
Actions may be terminating or non-terminating. Accept, reject, and discard are terminating actions. That means that once the action is applied, processing the firewall filter stops.
A non-terminating action (eg, log, count, etc) can be applied, and the firewall filter can continue to be processed for more actions.
If no terminating action is applied to a term, an implicit accept is used. Alternatively, next-term can be used to continue processing at the next-term.
To be effective, firewall filters need to be applied somewhere. For stateless firewall filtering, they can be applied to an interface. This is applied in a particular direction (input or output).
We can nest firewall filters. In this case, terms will reference other firewall filters. In a case like this, we would only apply the root filter to an interface.
Alternatively, we could apply a list of firewall filters to an interface. Filters are evaluated in order of the list, from left to right. We can use the ‘next-policy’ non-terminating action to prematurely move to the next filter in the list.
Firewall filters have an address family. If no family is applied, then ‘inet’ (IPv4) is assumed.
|set firewall family inet filter NAME
|Create an empty filter
|set firewall family inet filter NAME term NAME from CONDITION
|Match a condition within a term
|set firewall family inet filter NAME term NAME then ACTION
|Apply an action within a term
|set interfaces INTERFACE unit ID family inet filter < input | output > FILTER-NAME
|Apply a filter to an interface
|show interfaces filters | match inet
|Show filters applied to the interface
Understanding Multiple Firewall Filters in a Nested Configuration
Understanding Multiple Firewall Filters Applied as a List
Understanding the Loopback Interface