Options
specifying family under firewall configuration
What is the idea of specifying family under firewall configuration? For example one could configure "firewall family inet filter":
..or just "firewall filter":
I mean once you associate firewall filter with an interface you need to do this under specific family anyway:
Or are there situations when "firewall family inet filter" becomes necessary?
firewall {
family {
inet {
filter TEST-FILTER {
term TEST-TERM {
from {
source-address {
10.10.10.0/24 except;
0.0.0.0/0;
}
destination-address {
10.10.10.22/32;
10.10.10.77/32;
}
}
then {
count TEST-TERM;
discard;
}
}
term other {
then accept;
}
}
}
}
}
..or just "firewall filter":
firewall {
filter TEST-FILTER {
term TEST-TERM {
from {
source-address {
10.10.10.0/24 except;
0.0.0.0/0;
}
destination-address {
10.10.10.22/32;
10.10.10.77/32;
}
}
then {
count TEST-TERM;
discard;
}
}
term other {
then accept;
}
}
}
I mean once you associate firewall filter with an interface you need to do this under specific family anyway:
root# set interfaces fxp0 unit 0 fi? No valid completions [edit] root# set interfaces fxp0 unit 0 family inet filter ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups group Group to which interface belongs (0..255) > input Filter to be applied to received packets + input-list List of filter modules applied to received packets > output Filter to be applied to transmitted packets + output-list List of filter modules applied to transmitted packets [edit] root# set interfaces fxp0 unit 0 family inet filter
Or are there situations when "firewall family inet filter" becomes necessary?
Comments
-
Options
networker050184
Mod Posts: 11,962 Mod
As far as I know they function exactly the same and can be used interchangeably.An expert is a man who has made all the mistakes which can be made. -
Options
Aldur
Member Posts: 1,460
A little history first.
Before Junos supported other protocol families, such as IPv6, there was only IPv4 support. (Which I believe was over 10 years ago) And so there was no need to specify which family when configuring a firewall filter. Then when need for support of other protocols, such as IPv6, came about there was a need to specify which family a firewall filter was being configured for.
So basically [edit firewall filter] and [edit firewall family inet filter] is the exact same thing. The only reason [edit firewall filter] is there is because it is a carry over from the old days. In that regards I would recommend always using the "family inet" version of it to avoid confusion."Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."
-Bender -
Options
m4rtin
Member Posts: 170
In addition, it looks like newer JUNOS(for example 10.4R9.2) supports associating the firewall filter directly with unit:root@Olive# set interfaces fxp2 unit 0 filter ? Feb 28 22:31:09 Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups input Name of filter applied to received packets output Name of filter applied to transmitted packets [edit] root@Olive# set interfaces fxp2 unit 0 filter
This should make specifying "family" under "firewall" mandatory? -
OptionsAldur
Member Posts: 1,460
That's for a fxp interface on an olive...
On a real router, even an fxp inteface, you can't set the filter directly under the unit. BTW, this is on 11.1 code, but I suspect it's the same on 10.4.lab@R1# set unit 0 f? Possible completions: > family Protocol family [edit interfaces] lab@R1# set fxp0 unit 0 f? Possible completions: > family Protocol family
Although, I do agree that it would be nice to make the "family" part mandatory, there are probably some very big ISPs out there who have always just used "firewall filter" for their ACLs. This would cause a lot of headache if Juniper suddenly removed the ability to do this.
So for me, I'll just always use the "firewall family <x> filter" config, and I'll be aware that "firewall filter" is the same thing as "firewall family <x> filter". But either way, it's not gonna keep me up at night.
"Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."
-Bender -
Optionsm4rtin
Member Posts: 170
That's for a fxp interface on an olive...
On a real router, even an fxp inteface, you can't set the filter directly under the unit. BTW, this is on 11.1 code, but I suspect it's the same on 10.4.lab@R1# set unit 0 f? Possible completions: > family Protocol family [edit interfaces] lab@R1# set fxp0 unit 0 f? Possible completions: > family Protocol family
Although, I do agree that it would be nice to make the "family" part mandatory, there are probably some very big ISPs out there who have always just used "firewall filter" for their ACLs. This would cause a lot of headache if Juniper suddenly removed the ability to do this.
So for me, I'll just always use the "firewall family <x> filter" config, and I'll be aware that "firewall filter" is the same thing as "firewall family <x> filter". But either way, it's not gonna keep me up at night.
Associating firewall filter directly with an interface unit should be possible at least on MX series. For example MX960:root@MX960# set interfaces xe-5/0/0 unit 0 filter ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups input Name of filter applied to received packets output Name of filter applied to transmitted packets {master}[edit] root@MX960# set interfaces xe-5/0/0 unit 0 filter -
OptionsAldur
Member Posts: 1,460
Interesting, I haven't worked much with the MX's, but it's good to know that a firewall filter can be directly applied under the unit and not the family on those routers."Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."
-Bender
