Re: Firewall filter to restrict traffic for one interface

---

AshvinO wrote:

Hi,

The filter with match condition source-address 192.168.1.66 should be applied as output filter for it to work. Please check Option 1.

You could try using match address 192.168.1.66/32 to avoid confusion:

Possible completions:> address              Match IP source or destination address

firewall {
	family ethernet-switching {
		filter NAS-Filter {
			term NAS-Filter-Allow {
				from {
					address {
						192.168.1.66/32;
					}
				}
                                then {
                                        accept;
                                }
			}
		}
	}
}
interfaces {
	ge-0/0/5 {
		unit 0 {
			family ethernet-switching {
				filter {
					input NAS-Filter;
				}
			}
		}
	}
}

Cheers,

Ashvin

---

You're saying to specify 192.168.1.66/32 as the source- address for an output filter, but that is backwards.  An output filter is for traffic going out of an interface, so it should use destination-address.  Likewise, the input filter should use source-address.  That is how Juniper explains the filter terms here:

http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/firewall-filter-ex-series-cli.html

Here are the relevant code snippets from the Juniper KB:

[edit firewall family ethernet-switching filter ingress-port-filter term term-one]
user@switch# set from source-address 192.0.2.14
user@switch# set from source-port 80

[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-filter

They use source-address for input filters.

Also, "address" is not a valid entry for the "from" designation on the EX2200.  If I want the filter to apply to an address, I must specify either destination-address or source-address.

USER@SWITCH# set from ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups> destination-address  Match IP destination address> destination-mac-address  Match MAC destination address
+ destination-port     Match TCP/UDP destination port> destination-prefix-list  Match IP destination prefixes in named list
+ dot1q-tag            Match Dot1Q Tag Value
+ dot1q-user-priority  Match Dot1Q user priority
+ dscp                 Match Differentiated Services (DiffServ) code point
+ ether-type           Match Ethernet Type
  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type> interface            Match interface name> interface-set        Match interface in set> ip-version           Define IP version
  is-fragment          Match if packet is a fragment
+ l2-encap-type        Match Ethernet Encapsulation Type
+ precedence           Match IP precedence value
+ protocol             Match IP protocol type> source-address       Match IP source address> source-mac-address   Match MAC source address
+ source-port          Match TCP/UDP source port> source-prefix-list   Match IP source prefixes in named list
  tcp-established      Match packet of an established TCP connection
  tcp-flags            Match TCP flags (in symbolic or hex formats)
  tcp-initial          Match initial packet of a TCP connection
+ vlan                 Match Vlan Id or Name

If I try to enter "set from address," the configuration is seen as unsupported.

{master:0}[edit firewall family ethernet-switching filter NAS-Outbound term NAS-Outbound-Allow]
USER@SWITCH# show
from {
    ##
    ## Warning: configuration block ignored: unsupported platform (ex2200-48t-4g)
    ##
    address {
        192.168.1.66/32;
    }
}