Creating a Firewall Filter that Negates a Match


The default router interface behavior is to allow connections from anywhere on the network, but you want to restrict access so connections can be made fom all subnetworks except for a particular one.


Allow Telnet and SSH connections from all subnetworks except

	[edit firewall filter incoming-to-me]
	aviva@router1# set term restrict-telnet-ssh from source-address except
	aviva@router1# set term restrict-telnet-ssh then accept

Then apply the filter to the router's interface:

	[edit interfaces]
	aviva@router1# set fe-0/0/0 unit 0 family inet filter input incoming-to-me



When you want to be less restrictive with a filter's conditions, instead of defining the address, port, or protocol to match, you can do the inverse and define what not to match. This recipe, which is a variation of Recipe 9.8, adds the except keyword to the from term to allow Telnet and SSH connections from all subnetworks except

You can use the except keyword to negate all firewall match terms. Sometimes, you use a separate keyword, as shown in this recipe. Other times, the keyword is built into the match condition, as in the following example, which matches packets from all protocols except TCP, counts them so you can determine the rate of this type of traffic, and then accepts the packets:

	[edit firewall filter incoming-to-me term not-TCP]
	aviva@RouterF# set from protocol-except tcp
	aviva@RouterF# set then count packets-not-tcp
	aviva@RouterF# set then accept

The filter looks like this:

	[edit firewall filter incoming-to-me  term not-TCP ]
	aviva@RouterF# show 
	from {
except tcp;
	then {
	 count packets-not-tcp;

The best way to determine when to use a separate except keyword or whether there is a built-in keyword is to use the CLI online help:

	[edit firewall filter incoming-filter  term 1 ]
	aviva@router1# set from ?
	Possible completions:
	> address Match IP source or destination address
	+ ah-spi Match IPSec AH SPI value
	+ ah-spi-except Do not match IPSec AH SPI value 
	+ apply-groups Groups from which to inherit configuration data
	+ apply-groups-except Don't inherit configuration data from these groups 
	> destination-address Match IP destination address
	+ destination-class Match destination class
	+ destination-class-except Do not match destination class 
	+ destination-port Match TCP/UDP destination port
	+ destination-port-except Do not match TCP/UDP destination port 
	> destination-prefix-list Match IP destination prefixes in named list
	+ dscp Match Differentiated Services (DiffServ) code point
	+ dscp-except Do not match Differentiated Services (DiffServ) code point
	+ esp-spi Match IPSec ESP SPI value
	+ esp-spi-except Do not match IPSec ESP SPI value 
	 first-fragment Match if packet is the first fragment
	+ forwarding-class Match forwarding class
	+ forwarding-class-except Do not match forwarding class 
	 fragment-flags Match fragment flags
	+ fragment-offset Match fragment offset
	+ fragment-offset-except Do not match fragment offset 
	+ icmp-code Match ICMP message code
	+ icmp-code-except Do not match ICMP message code 
	+ icmp-type Match ICMP message type
	+ icmp-type-except Do not match ICMP message type 
	> interface Match interface name
	+ interface-group Match interface group
	+ interface-group-except Do not match interface group 
	> interface-set Match interface in set
	+ ip-options Match IP options
	+ ip-options-except Do not match IP options 
	is-fragment Match if packet is a fragment
	+ packet-length Match packet length
	+ packet-length-except Do not match packet length 
	+ port Match TCP/UDP source or destination port
	+ port-except Do not match TCP/UDP source or destination port
	+ precedence Match IP precedence value
	+ precedence-except Do not match IP precedence value 
	> prefix-list Match IP source or destination prefixes in named list
	+ protocol Match IP protocol type
	+ protocol-except Do not match IP protocol type 
	> source-address Match IP source address
	+ source-class Match source class
	+ source-class-except Do not match source class 
	+ source-port Match TCP/UDP source port
	+ source-port-except Do not match TCP/UDP source port 
	> source-prefix-list Match IP source prefixes in named list
	tcp-established Match packet of an established TCP connection
	tcp-flags Match TCP flags
	tcp-initial Match initial packet of a TCP connection

You use the separate keyword with all match conditions that do not have an -except version.

Router Configuration and File Management

Basic Router Security and Access Control





Router Interfaces

IP Routing

Routing Policy and Firewall Filters







IP Multicast

JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett © 2008-2020.
If you may any questions please contact us: