[j-nsp] configuration groups and firewall filter term order
Patrick Colman
patrick.colman at alcatel.be
Fri Apr 11 15:05:07 EDT 2003
Hi,
I have a question regarding configuration groups and firewall filter
term order in JUNOS.
Assume I have a set of "common" output filter terms and some interface
specific terms. The common terms should be tested against first.
I would like to use the configuration groups to define the common part.
The sample configuration looks like:
[edit]
groups {
common {
firewall {
family inet {
filter <*> {
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}
}
}
}
}
}
[edit firewall family inet]
filter interface-1 {
apply-groups common;
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}
}
filter interface-2 {
apply-groups common;
term 100 {
then accept;
}
}
The result is not what I wanted to achieve (the common part is appended
at the end):
[edit firewall family inet]
patrick at JNPR-1# show filter interface-1 | display inheritance | except #
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}
Is there any way in JUNOS that I can force the order of the terms
inherited from the apply-groups statement ?
The config I had in mind was:
[edit firewall family inet]
patrick at JNPR-1# show filter interface-1 | display inheritance | except #
### How I wanted the config to look like ###
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}
Best Regards,
Patrick.
More information about the juniper-nsp
mailing list