[j-nsp] In Search of the Optimal RE Protect Filter - A Journey

[Daniel Verlouw]

Hi guys,

To revive this thread; does anyone know how to check what type of
packets are being matched when using an family any input filter on lo0
?

You can't seem to use log as action and the from clause only allows
some protocol independent matches;

daniel at lab# set firewall family any filter test term test from ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
+ forwarding-class     Match forwarding class
+ forwarding-class-except  Do not match forwarding class
> interface            Match interface name
> interface-set        Match interface in set
+ packet-length        Match packet length
+ packet-length-except  Do not match packet length
[edit]

daniel at lab# set firewall family any filter test term test then ?
Possible completions:
  accept               Accept the packet
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  count                Count the packet in the named counter
  discard              Discard the packet
  forwarding-class     Classify packet to forwarding class
  loss-priority        Classify packet to loss-priority
  next                 Continue to next term in a filter
  policer              Name of policer to use to rate-limit traffic
> three-color-policer  Police the packet using a three-color-policer
[edit]

The docs say "layer 2 control packets", but which ones? Are all
"non-IP" packets matched against this family any filter?

<http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/policy-layer-2-incoming-packet-rate-limit-setting.html>

There's even an example in RFC6192 :-) <http://www.faqs.org/rfcs/rfc6192.html>

Anyone using this? Pros/cons?

Thanks, Daniel.