SRX firewall filter

There are several ways of blocking certain type of traffic. One of them is a firewall filter. You may be asking why to use firewall filter instead of a security policy. The reason is firewall filter is at the very early stage of packet processing and it needs less processing power than security policies. You can take a look at srx firewall packet flow diagram if you wish.

Another important facet of these filters is they are stateless. It does have no session intelligence. Below is a sample firewall filter to reject incoming icmp echo packets from 192.168.0.101/32 address on vlan.10 interface:

1) First set firewall filter named block_icmp

WARNING: One of the most important point that we must keep in mind is that there is an implicit drop of packets. If you don’t put an “accept” statement, you will block everything.

2) Second step of firewall filter is to apply the filter on an interface which is vlan.10 in our example.

Once you commit this changes, your icmp echo packets from 192.168.0.101 will be rejected with icmp type 3 (Destination unrechable) and Code 13 (Communication administratively filtered)

3) Counting packets

You might have noticed the count option in the filter. As the name implies, it is to count the packets processed in this filter. To see the counters;

You have a feedback?