Juniper ACX1000 Configuration Manual page 1118

ACX Series Universal Access Router Configuration Guide
Table 74: Firewall Filter Match Conditions for IPv6 Traffic (continued)
Match Condition
next-header header-type
source-address address
source-port number
source-prefix-list
tcp-flags flags
1060
Description
Match the first 8-bit Next Header field in the packet. Support for the
condition is available in Junos OS Release 13.3R6 and later.
For IPv6, we recommend that you use the
term when configuring a firewall filter with match conditions. Although either can be used,
provides the more reliable match condition because it uses the actual payload
payload-protocol
protocol to find a match, whereas
following the IPv6 header, which may or may not be the actual protocol. In addition, if
is used with IPv6, the accelerated filter block lookup process is bypassed and the standard filter
used instead.
In place of the numeric value, you can specify one of the following text synonyms (the field values
are also listed): ah (51), dstops
icmp (1), icmp6 (58), icmpv6 (58),
(89), (103), (43),
ospf pim routing
NOTE: and
next-header icmp6
is the preferred option.
next-header icmp6
Match the IPv6 address of the source node sending the packet.
Match the UDP or TCP source port field.
You cannot specify the and
port
If you configure this match condition, we recommend that you also configure the
or match condition in the same term to specify which protocol is being used
udp next-header tcp
on the port.
In place of the numeric value, you can specify one of the text synonyms listed with the
match condition.
destination-port number
Match IP source prefixes in named list.
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.
To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
(0x01)
fin
(0x02)
syn
rst (0x04)
push (0x08)
(0x10)
ack
(0x20)
urgent
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all
packets sent after the initial packet.
You can string together multiple flags using the bit-field logical operators.
For combined bit-field match conditions, see the
If you configure this match condition, we recommend that you also configure the
match condition in the same term to specify that the TCP protocol is being used on the port.
term rather than the
payload-protocol
next-header simply takes whatever appears in the first header
(60), egp (8), esp (50), fragment
igmp (2), ipip (4), ipv6 (41),
(46), (132), (6),
rsvp sctp tcp
match conditions perform the same function.
next-header icmpv6
next-header icmpv6
match conditions in the same term.
source-port
tcp-established
firewall match
next-header
next-header
next-header
(44), gre (47), hop-by-hop
mobility (135), no-next-header
(17), or (112).
udp vrrp
is hidden in the Junos OS CLI.
next-header
and match conditions.
tcp-initial
next-header tcp
Copyright © 2017, Juniper Networks, Inc.
(0),
(59),