specifying family under firewall configuration

What is the idea of specifying family under firewall configuration? For example one could configure "firewall family inet filter":

firewall {
    family {
        inet {
            filter TEST-FILTER {
                term TEST-TERM {
                    from {
                        source-address {
                            10.10.10.0/24 except;
                            0.0.0.0/0;
                        }
                        destination-address {
                            10.10.10.22/32;
                            10.10.10.77/32;
                        }
                    }       
                    then {
                        count TEST-TERM;
                        discard;
                    }
                }
                term other {
                    then accept;
                }
            }
        }
    }
}

..or just "firewall filter":

firewall {
    filter TEST-FILTER {
        term TEST-TERM {
            from {
                source-address {
                    10.10.10.0/24 except;
                    0.0.0.0/0;
                }
                destination-address {
                    10.10.10.22/32;
                    10.10.10.77/32;
                }
            }       
            then {
                count TEST-TERM;
                discard;
            }
        }
        term other {
            then accept;
        }
    }
}

I mean once you associate firewall filter with an interface you need to do this under specific family anyway:

root# set interfaces fxp0 unit 0 fi?                   
No valid completions
[edit]
root# set interfaces fxp0 unit 0 family inet filter ?   
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  group                Group to which interface belongs (0..255)
> input                Filter to be applied to received packets
+ input-list           List of filter modules applied to received packets 
> output               Filter to be applied to transmitted packets
+ output-list          List of filter modules applied to transmitted packets 
[edit]
root# set interfaces fxp0 unit 0 family inet filter

Or are there situations when "firewall family inet filter" becomes necessary?

Find more posts tagged with

Comments

networker050184

As far as I know they function exactly the same and can be used interchangeably.

Aldur

A little history first.

Before Junos supported other protocol families, such as IPv6, there was only IPv4 support. (Which I believe was over 10 years ago) And so there was no need to specify which family when configuring a firewall filter. Then when need for support of other protocols, such as IPv6, came about there was a need to specify which family a firewall filter was being configured for.

So basically [edit firewall filter] and [edit firewall family inet filter] is the exact same thing. The only reason [edit firewall filter] is there is because it is a carry over from the old days. In that regards I would recommend always using the "family inet" version of it to avoid confusion.

m4rtin

In addition, it looks like newer JUNOS(for example 10.4R9.2) supports associating the firewall filter directly with unit:

root@Olive# set interfaces fxp2 unit 0 filter ?  
Feb 28 22:31:09
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  input                Name of filter applied to received packets
  output               Name of filter applied to transmitted packets
[edit]
root@Olive# set interfaces fxp2 unit 0 filter

This should make specifying "family" under "firewall" mandatory?

Aldur

That's for a fxp interface on an olive...

On a real router, even an fxp inteface, you can't set the filter directly under the unit. BTW, this is on 11.1 code, but I suspect it's the same on 10.4.

lab@R1# set unit 0 f?
Possible completions:
> family               Protocol family

[edit interfaces]
lab@R1# set fxp0 unit 0 f? 
Possible completions:
> family               Protocol family

Although, I do agree that it would be nice to make the "family" part mandatory, there are probably some very big ISPs out there who have always just used "firewall filter" for their ACLs. This would cause a lot of headache if Juniper suddenly removed the ability to do this.

So for me, I'll just always use the "firewall family <x> filter" config, and I'll be aware that "firewall filter" is the same thing as "firewall family <x> filter". But either way, it's not gonna keep me up at night.

m4rtin

Aldur wrote: »
That's for a fxp interface on an olive...

On a real router, even an fxp inteface, you can't set the filter directly under the unit. BTW, this is on 11.1 code, but I suspect it's the same on 10.4.
lab@R1# set unit 0 f?
Possible completions:
> family               Protocol family

[edit interfaces]
lab@R1# set fxp0 unit 0 f? 
Possible completions:
> family               Protocol family
Although, I do agree that it would be nice to make the "family" part mandatory, there are probably some very big ISPs out there who have always just used "firewall filter" for their ACLs. This would cause a lot of headache if Juniper suddenly removed the ability to do this.

So for me, I'll just always use the "firewall family <x> filter" config, and I'll be aware that "firewall filter" is the same thing as "firewall family <x> filter". But either way, it's not gonna keep me up at night.

Associating firewall filter directly with an interface unit should be possible at least on MX series. For example MX960:

root@MX960# set interfaces xe-5/0/0 unit 0 filter ? 
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  input                Name of filter applied to received packets
  output               Name of filter applied to transmitted packets
{master}[edit]
root@MX960# set interfaces xe-5/0/0 unit 0 filter

Aldur

Interesting, I haven't worked much with the MX's, but it's good to know that a firewall filter can be directly applied under the unit and not the family on those routers.