I tried packet-mode the exact way you wrote:
root@srx650-2> show configuration interfaces reth0
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
filter {
input-list [ ddos-block vlan131-bypass ];
}
address x.x.252.212/29;
}
}
root@srx650-2> show configuration firewall
family inet {
filter ddos-block {
term 1 {
from {
destination-address {
x.x.3.4/32;
}
}
then {
discard;
}
}
term 2 {
then accept;
}
}
filter vlan131-bypass {
term 1 {
from {
destination-address {
x.x.251.100/32;
}
}
then {
packet-mode;
accept;
}
}
term 2 {
then accept;
}
}
}
reth0 is my incoming interface, so I applied the filter there. After commiting this, I checked with "show security flow session destination-prefix x.x.251.100" if there is any active session to this IP and it was empty. After accessing the destination-IP and checking again, I get this:
root@srx650-2> show security flow session destination-prefix x.x.251.100
node0:
--------------------------------------------------------------------------
Session ID: 17871, Policy name: TK_intern-In/28, State: Backup, Timeout: 14400
In: x.x.54.186/51772 --> x.x.251.100/443;tcp, If: reth0.0
Out: x.x.251.100/443 --> x.x.54.186/51772;tcp, If: reth3.0
1 sessions displayed
node1:
--------------------------------------------------------------------------
Session ID: 78107, Policy name: TK_intern-In/28, State: Active, Timeout: 1796
In: x.x.54.186/51772 --> x.x.251.100/443;tcp, If: reth0.0
Out: x.x.251.100/443 --> x.x.54.186/51772;tcp, If: reth3.0
1 sessions displayed
As I understand, a session was created even when I have a firewall-filter that should force this traffic into packet-mode and therefore not create any session... as there is also a policy applied (TK_intern-In) it seems to me, as this packet was forwarded in flow-mode... what am I missing?