specifying family under firewall configuration
What is the idea of specifying family under firewall configuration? For example one could configure "firewall family inet filter":
..or just "firewall filter":
I mean once you associate firewall filter with an interface you need to do this under specific family anyway:
Or are there situations when "firewall family inet filter" becomes necessary?
firewall {
family {
inet {
filter TEST-FILTER {
term TEST-TERM {
from {
source-address {
10.10.10.0/24 except;
0.0.0.0/0;
}
destination-address {
10.10.10.22/32;
10.10.10.77/32;
}
}
then {
count TEST-TERM;
discard;
}
}
term other {
then accept;
}
}
}
}
}
..or just "firewall filter":
firewall {
filter TEST-FILTER {
term TEST-TERM {
from {
source-address {
10.10.10.0/24 except;
0.0.0.0/0;
}
destination-address {
10.10.10.22/32;
10.10.10.77/32;
}
}
then {
count TEST-TERM;
discard;
}
}
term other {
then accept;
}
}
}
I mean once you associate firewall filter with an interface you need to do this under specific family anyway:
root# set interfaces fxp0 unit 0 fi? No valid completions [edit] root# set interfaces fxp0 unit 0 family inet filter ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups group Group to which interface belongs (0..255) > input Filter to be applied to received packets + input-list List of filter modules applied to received packets > output Filter to be applied to transmitted packets + output-list List of filter modules applied to transmitted packets [edit] root# set interfaces fxp0 unit 0 family inet filter
Or are there situations when "firewall family inet filter" becomes necessary?
Comments
Before Junos supported other protocol families, such as IPv6, there was only IPv4 support. (Which I believe was over 10 years ago) And so there was no need to specify which family when configuring a firewall filter. Then when need for support of other protocols, such as IPv6, came about there was a need to specify which family a firewall filter was being configured for.
So basically [edit firewall filter] and [edit firewall family inet filter] is the exact same thing. The only reason [edit firewall filter] is there is because it is a carry over from the old days. In that regards I would recommend always using the "family inet" version of it to avoid confusion.
-Bender
This should make specifying "family" under "firewall" mandatory?
On a real router, even an fxp inteface, you can't set the filter directly under the unit. BTW, this is on 11.1 code, but I suspect it's the same on 10.4.
Although, I do agree that it would be nice to make the "family" part mandatory, there are probably some very big ISPs out there who have always just used "firewall filter" for their ACLs. This would cause a lot of headache if Juniper suddenly removed the ability to do this.
So for me, I'll just always use the "firewall family <x> filter" config, and I'll be aware that "firewall filter" is the same thing as "firewall family <x> filter". But either way, it's not gonna keep me up at night.
-Bender
Associating firewall filter directly with an interface unit should be possible at least on MX series. For example MX960:
root@MX960# set interfaces xe-5/0/0 unit 0 filter ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups input Name of filter applied to received packets output Name of filter applied to transmitted packets {master}[edit] root@MX960# set interfaces xe-5/0/0 unit 0 filter-Bender