Table 74: Firewall Filter Match Conditions for IPv6 Traffic (continued)
Description
Match Condition
Match the first 8-bit Next Header field in the packet. Support for the next-header firewall match
condition is available in Junos OS Release 13.3R6 and later.
For IPv6, we recommend that you use the payload-protocol term rather than the next-header
term when configuring a firewall filter with match conditions. Although either can be used,
payload-protocol provides the more reliable match condition because it uses the actual payload
protocol to find a match, whereas next-header simply takes whatever appears in the first header
following the IPv6 header, which may or may not be the actual protocol. In addition, if next-header
is used with IPv6, the accelerated filter block lookup process is bypassed and the standard filter
used instead.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0),
icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), mobility (135), no-next-header (59),
ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).
NOTE: next-header icmp6 and next-header icmpv6 match conditions perform the same function.
next-header icmp6 is the preferred option. next-header icmpv6 is hidden in the Junos OS CLI.
next-header header-type
Match the IPv6 address of the source node sending the packet.source-address address
Match the UDP or TCP source port field.
You cannot specify the port and source-port match conditions in the same term.
If you configure this match condition, we recommend that you also configure the next-header
udp or next-header tcp match condition in the same term to specify which protocol is being used
on the port.
In place of the numeric value, you can specify one of the text synonyms listed with the
destination-port number match condition.
source-port number
Match IP source prefixes in named list.source-prefix-list
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.
To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
•
fin (0x01)
•
syn (0x02)
•
rst (0x04)
•
push (0x08)
•
ack (0x10)
•
urgent (0x20)
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all
packets sent after the initial packet.
You can string together multiple flags using the bit-field logical operators.
For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions.
If you configure this match condition, we recommend that you also configure the next-header tcp
match condition in the same term to specify that the TCP protocol is being used on the port.
tcp-flags flags
Copyright © 2017, Juniper Networks, Inc.1060
ACX Series Universal Access Router Configuration Guide