[j-nsp] Default + specific firewall filters

[Tony Frank]

On Fri, May 28, 2004 at 03:35:17AM +0200, Daniel Roesen wrote:

> firewall filters for all packets traversing the PFE? This would be
> cool to have indeed, bceause currently you cannot apply more than
> a single input and output filter to any given interface... which makes
> it impossible to "daisy-chain" generic filters with "interface-specific"
> (not as in the JUNOS config statement "interface-specific") filters
> as it is possible with routing protocol export/import policy chains.
> This means if you want to do the DCU stuff, you'll have to copy all
> the DCU processing into any interface-specific filter you do for
> specific uses. Administrative nightmare.
> 
> This is a problem with filters which always bothered me, no matter
> which vendor. Does NOONE like to apply default filters on edge
> interfaces, PLUS interface-specific stuff, WITHOUT needing to create
> a third new filter which is a merge of the generic one and the
> interface-specific bits?

Without actually trying, I would think this can be accomplished by
having group with default firewall filter terms.

Then for each interface filter, you can apply the "default group" in
addition to any specific terms suited to the interface.

Still one to two filters per interface with special needs and plenty 
of admin headaches to keep it all straight.

Regards,

Tony