Table 74: Firewall Filter Match Conditions for IPv6 Traffic (continued)
Description
Match Condition
Match the ICMP message code field.
If you configure this match condition, we recommend that you also configure the next-header
icmp or next-header icmp6 match condition in the same term.
If you configure this match condition, you must also configure the icmp-type message-type match
condition in the same term. An ICMP message code provides more specific information than an
ICMP message type, but the meaning of an ICMP message code is dependent on the associated
ICMP message type.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed). The keywords are grouped by the ICMP type with which they are associated:
•
parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option
(2)
•
time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)
•
destination-unreachable: administratively-prohibited (1), address-unreachable (3),
no-route-to-destination (0), port-unreachable (4)
icmp-code message-code
Match the ICMP message type field.
If you configure this match condition, we recommend that you also configure the next-header
icmp or next-header icmp6 match condition in the same term.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): certificate-path-advertisement (149), certificate-path-solicitation (148),
destination-unreachable (1), echo-reply (129), echo-request (128),
home-agent-address-discovery-reply (145), home-agent-address-discovery-request (144),
inverse-neighbor-discovery-advertisement (142), inverse-neighbor-discovery-solicitation (141),
membership-query (130), membership-report (131), membership-termination (132),
mobile-prefix-advertisement-reply (147), mobile-prefix-solicitation (146),
neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140),
node-information-request (139), packet-too-big (2), parameter-problem (4),
private-experimentation-100 (100), private-experimentation-101 (101), private-experimentation-200
(200), private-experimentation-201 (201), redirect (137), router-advertisement (134),
router-renumbering (138), router-solicit (133), or time-exceeded (3).
For private-experimentation-201 (201), you can also specify a range of values within square
brackets.
icmp-type message-type
1059Copyright © 2017, Juniper Networks, Inc.
Chapter 32: Configuring Firewall Filters
To Next Page
Loading...
Need help?
General
