Juniper J2300 User Manual page 394

J-series™ Services Router User Guide
Match Condition
esp-spi spi-value
forwarding-class class
fragment-offset number
icmp-code number
icmp-type number
interface-group group-number
packet-length bytes
port number
precedence ip-precedence-field
protocol number
source-port number
Address Match Conditions
address prefix
destination-address prefix
364
Firewall Filter Overview
Description
IPSec encapsulating security payload (ESP) security parameter index (SPI) value.
Match on this specific SPI value. You can specify the ESP SPI value in either
hexadecimal, binary, or decimal form.
Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or
network-control.
Fragment offset field.
ICMP code field. Normally, you specify this match in conjunction with the protocol
icmp match statement to determine which protocol is being used on the port.
This value or keyword provides more specific information than icmp-type. Because
the value's meaning depends on the associated icmp-type, you must specify icmp-type
along with icmp-code.
In place of the numeric value, you can specify a text synonym. For example, you
can specify ip-header-bad or 0.
ICMP packet type field. Normally, you specify this match in conjunction with the
protocol icmp match statement to determine which protocol is being used on the port.
In place of the numeric value, you can specify a text synonym. For example, you can
specify time-exceeded or 11.
Interface group on which the packet was received. An interface group is a set of one
or more logical interfaces. For information about configuration interface groups, see
the JUNOS Policy Framework Configuration Guide.
Length of the received packet, in bytes. The length refers only to the IP packet,
including the packet header, and does not include any Layer 2 encapsulation overhead.
TCP or UDP source or destination port field. You cannot specify both the port match
and either the destination-port or source-port match conditions in the same term.
Normally, you specify this match in conjunction with the protocol tcp or protocol udp
match statement to determine which protocol is being used on the port.
In place of the numeric value, you can specify a text synonym. For example, you
can specify bgp or 179.
IP precedence field. You can specify precedence in either hexadecimal, binary, or
decimal form.
In place of the numeric value, you can specify a text synonym. For example, you
can specify immediate or 0x40.
IP protocol field. In place of the numeric value, you can specify a text synonym.
For example, you can specify ospf or 89.
TCP or UDP source port field. You cannot specify the port and source-port match
conditions in the same term. Normally, you specify this match in conjunction with
the protocol tcp or protocol udp match statement to determine which protocol is
being used on the port.
In place of the numeric value, you can specify a text synonym. For example, you
can specify http or 80.
IP source or destination address field. You cannot specify both the address and the
destination-address or source-address match conditions in the same term.
IP destination address field. You cannot specify the destination-address and address
match conditions in the same term.