Table 74: Firewall Filter Match Conditions for IPv6 Traffic
Description
Match Condition
Match the IPv6 destination address field.destination-address address
Match the UDP or TCP destination port field.
You cannot specify both the port and destination-port match conditions in the same term.
If you configure this match condition, we recommend that you also configure the next-header
udp or next-header tcp match condition in the same term to specify which protocol is being used
on the port.
In place of the numeric value, you can specify one of the following text synonyms (the port
numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514),
cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79),
ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88),
klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646),
login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110),
pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25),
snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),
tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).
destination-port number
Match IP destination prefixes in named list.destination-prefix-list
Match an extension header type that is contained in the packet by identifying a Next Header
value.
In the first fragment of a packet, the filter searches for a match in any of the extension header
types. When a packet with a fragment header is found (a subsequent fragment), the filter only
searches for a match of the next extension header type because the location of other extension
headers is unpredictable.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): ah (51), destination (60), esp (50), fragment (44), hop-by-hop (0), mobility (135),
or routing (43).
To match any value for the extension header option, use the text synonym any.
NOTE: Only the first extension header of the IPv6 packet can be matched. L4 header beyond
one IPv6 extension header will be matched.
extension-headers
header-type
Match the hop limit to the specified hop limit or set of hop limits. For hop-limit, specify a single
value or a range of values from 0 through 255.
hop-limit hop-limit
Copyright © 2017, Juniper Networks, Inc.1058
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
