Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
• tcp-established—For IPv4, specify the match protocol tcp in the same term. For IPv6,
specify the match next-header tcp in the same term.
• tcp-flags—For IPv4, specify the match protocol tcp in the same term. For IPv6, specify
the match next-header tcp in the same term.
• tcp-initial—For IPv4, specify the match protocol tcp in the same term. For IPv6, specify
the match next-header tcp in the same term.
When examining match conditions, the Junos OS tests only the specified field itself. The
software does not also test the IP header to determine that the packet is indeed an IP
packet.
If you do not explicitly specify the protocol, when using the fields listed previously, design
your filters carefully to ensure that they are performing the expected matches. For
example, if you specify a match of destination-port ssh, the Junos OS deterministically
matches any packets that have a value of 22 in the 2-byte field that is 2 bytes beyond
the end of the IP header, without ever checking the IP protocol field.
Example: Matching on Destination Port and Protocol Fields
The first term matches all packets except for TCP and UDP packets, so only TCP and
UDP packets are evaluated by the third term (term test-a-port):
[edit]
firewall {
family inet {
filter test-filter {
term all-but-tcp-and-udp {
from {
protocol-except [tcp udp];
}
then accept;
}
term test-an-address {
from {
address 192.168/16;
}
then reject;
}
term test-a-port {
from {
destination-port [ssh dns];
}
then accept;
}
term dump-anything-else {
then reject;
}
}
}
}
218
Copyright © 2010, Juniper Networks, Inc.