Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Firewall filter behavior when applied to interface by using input-list/output-list

0

0

Article ID: KB13057 KB Last Updated: 09 Nov 2012Version: 3.0
Summary:
This article provides information on how to determine the sequence of events that an input/output firewall list will perform, when it is applied to an interface.
Symptoms:
Firewall filters have a different behavior regarding implicit deny, when using the input-list/output-list to apply it to the interface.
Cause:

Solution:
Normally a firewall filter will have an implicit deny at the end of the filter, which denies everything that does not match the filter. The filter is then applied to the interface by using an input/output statement, according to the direction in which the filter needs to be applied. The Input-list/Output-list is used to apply multiple filter modules to an interface.

When applying the filters using the input-list/output-list, only the implicit deny of the last filter module is considered.

Example:

user@router# show firewall
filter test
term 1
from {
source-address {
172.16.1.1/32;
}
}
then accept;
}
}
filter test1 {
from {
source-address {
192.16.1.1/32;
}
}
then accept;
}
}
term 1 {

The filters are then applied to the interface, for this example, on ge-0/1/1:
user@router# show interfaces ge-0/1/1
unit 0 {
filter {
input-list [ test test1 ];
}
}
}
family inet {


When input traffic comes to the ge-0/1/1 interface, first the filter test is executed to check if the traffc matches the terms of the filter.filter.

If it matches, then it exits out of the input-list chain and applies the actions of the filter.  If it doesn not match, it proceeds to the next filter test1 and checks for a match of the filter terms.

If none of the filters match the traffic, it then applies the default action.

Note: By default, each firewall filter ends with an implicit deny-all term. The final default action is to discard all packets. The packets that do not match any of the configured match conditions in a firewall filter are silently discarded.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search