Understanding Planning of Firewall Filters
Before you create a firewall filter and apply it to an interface, determine what you want
the firewall filter to accomplish and how to use its match conditions and actions to
achieve your goals. You must understand how packets are matched to match conditions,
the default and configured actions of the firewall filter, and proper placement of the
firewall filter.
You can configure and apply no more than one firewall filter per port, VLAN, or router
interface, per direction. The following limits apply for the number of firewall filter terms
allowed per filter on various switch models:
•
On EX2200 switches, the number of terms allowed per filter cannot exceed 512.
•
On EX3200 and EX4200 switches, the number of terms allowed per filter cannot
exceed 2048.
•
On EX8200 switches, the number of terms allowed per filter cannot exceed 32768.
In addition, you should try to be conservative in the number of terms (rules) that you
include in each firewall filter because a large number of terms requires longer processing
time during a commit and also can make firewall filter testing and troubleshooting more
difficult. Similarly, applying firewall filters across many switch and router interfaces can
make testing and troubleshooting the rules of those filters difficult.
Before you configure and apply firewall filters, answer the following questions for each
of those firewall filters:
1.
What is the purpose of the firewall filter?
For example, you can use a firewall filter to limit traffic to source and destination MAC
addresses, specific protocols, or certain data rates or to prevent denial of service
(DoS) attacks.
2.
What are the appropriate match conditions?
a.
Determine the packet header fields that the packet must contain for a match.
Possible fields include:
•
Layer 2 header fields—Source and destination MAC addresses, dot1q tag, Ethernet
type, and VLAN
•
Layer 3 header fields—Source and destination IP addresses, protocols, and IP
options (IP precedence, IP fragmentation flags, TTL type)
•
TCP header fields—Source and destination ports and flags
•
ICMP header fields—Packet type and code
b.
Determine the port, VLAN, or router interface on which the packet was received.
3.
What are the appropriate actions to take if a match occurs?
3005
Copyright © 2010, Juniper Networks, Inc.
Chapter 100: Firewall Filters—Overview
Summary of Contents for JUNOS OS 10.3 - SOFTWARE
Page 325: ...CHAPTER 17 Operational Mode Commands for System Setup 229 Copyright 2010 Juniper Networks Inc ...
Page 1323: ...CHAPTER 56 Operational Mode Commands for Interfaces 1227 Copyright 2010 Juniper Networks Inc ...
Page 2841: ...CHAPTER 86 Operational Commands for 802 1X 2745 Copyright 2010 Juniper Networks Inc ...
Page 3367: ...CHAPTER 113 Operational Mode Commands for CoS 3271 Copyright 2010 Juniper Networks Inc ...
Page 3435: ...CHAPTER 120 Operational Mode Commands for PoE 3339 Copyright 2010 Juniper Networks Inc ...
Page 3529: ...CHAPTER 126 Operational Mode Commands for MPLS 3433 Copyright 2010 Juniper Networks Inc ...