Firewall Filters






Firewall filters are the Junos version of an ACL. They are used to match traffic and apply an action. This can be for security (allow or deny traffic), but it can also be for a policy (such as a routing or CoS policy).

Generally, firewall filters are stateless. The SRX and MX platforms can support statful firewall filters as well.

Firewall filters contain terms. A term is an individual rule in the firewall filter.

Within a term, we have ‘from’ statements, which are used to match conditions (like source and destination addresses). Multiple from statements are fine, but they all need to match for an action to be applied.

Also within the term are ‘then’ statements. These apply actions to matching traffic. Actions include accept, reject, discard, log, count, sample, next-term, and others.


The ‘reject’ action will deny a packet and send an ICMP response. The ‘discard’ action will deny a packet silently.

Actions may be terminating or non-terminating. Accept, reject, and discard are terminating actions. That means that once the action is applied, processing the firewall filter stops.

A non-terminating action (eg, log, count, etc) can be applied, and the firewall filter can continue to be processed for more actions.

If no terminating action is applied to a term, an implicit accept is used. Alternatively, next-term can be used to continue processing at the next-term.


To be effective, firewall filters need to be applied somewhere. For stateless firewall filtering, they can be applied to an interface. This is applied in a particular direction (input or output).

We can nest firewall filters. In this case, terms will reference other firewall filters. In a case like this, we would only apply the root filter to an interface.

Alternatively, we could apply a list of firewall filters to an interface. Filters are evaluated in order of the list, from left to right. We can use the ‘next-policy’ non-terminating action to prematurely move to the next filter in the list.


Firewall filters have an address family. If no family is applied, then ‘inet’ (IPv4) is assumed.


Command Summary

Command Mode Description
set firewall family inet filter NAME Configuration Create an empty filter
set firewall family inet filter NAME term NAME from CONDITION Configuration Match a condition within a term
set firewall family inet filter NAME term NAME then ACTION Configuration Apply an action within a term
set interfaces INTERFACE unit ID family inet filter < input | output > FILTER-NAME Configuration Apply a filter to an interface
show interfaces filters | match inet Operational Show filters applied to the interface


Additional References

Understanding Multiple Firewall Filters in a Nested Configuration


Understanding Multiple Firewall Filters Applied as a List


Understanding the Loopback Interface


Leave a Reply