ACX does not support firewall filters on a loopback interface; users will see an error message logged by the Packet Forwarding Engine. This article provides a forwarding table filter configuration.

When configuring a firewall filter and applying it on a loopback interface, the following message will be logged from the Packet Forwarding Engine (PFE):

[Feb 2 22:46:16.460 LOG: Err] ACX Error (dfw):acx_dfw_bind :Filter(protect_RE-lo0.0-i) attachment to Loop-back interface is not supported
[Feb 2 22:46:54.005 LOG: Debug] PFESVCS: Input IFL not part of default RTB
[Feb 2 22:47:56.701 LOG: Err] ACX Error (dfw):acx_dfw_bind :Filter(protect_RE-lo0.0-i) attachment to Loop-back interface is not supported

Sample configuration (here we only allow the ICMP protocol to simplify):

lab# show firewall family inet filter protect_RE
interface-specific;
term 1 {
    from {
        protocol icmp;
    }
    then {
        count icmp_accept;
        accept;
    }
}
term 2 {
    then {
        count others_discard;
        discard;
    }
}
lab# show interfaces lo0
unit 0 {
    family inet {
        filter {
            input protect_RE;
        }
        address 10.255.6.6/32;
    }
}

A solution is to either configure the forwarding table filter or attach the filter to all Layer 3 interfaces on the ACX device.

Forwarding table filter configuration:

lab# show firewall family inet filter protect_RE 
interface-specific;
term icmp_accept {
    from {
        destination-address {
            10.255.6.6/32;
        }
        protocol icmp;       
    }
    then {
        count icmp_accept;
        accept;
    }
}
/***omit other terms which may include all the procotols need to be accepted depends on design****/
term discard {
    then {
        count others_discard;
        discard;
    }
}
lab# show routing-instances test 
forwarding-options {
    family inet {
        filter {
            input protect_RE;
        }
    }
}

Note: The loopback primary address is the destination.