[j-nsp] solution to a firewall question

Damien DeVille damien.deville at gmail.com
Thu Apr 23 18:12:21 EDT 2015


While I don't understand why you have the requirement that you can't use
next-term (seems to be arbitrary), you can accomplish this the "input-list"
option (
https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
)

Here is a sample configuration:

ddeville at testlab-rtr# show interfaces ge-0/0/0
unit 0 {
    family inet {
        filter {
            input-list [ f1 f2 ];
        }
        address 192.168.1.2/32;
    }
}

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
            accept;
        }
    }
}
filter f2 {
    term 1 {
        from {
            dscp ef;
        }
        then {
            forwarding-class expedited-forwarding;
            accept;
        }
    }
}





- Damien

On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran <vijesh at juniper.net> wrote:

> Hi Olivier,
>  My bad that I didn't specify this in original mail...
> Caveat here is that, next term shall be avoided as per requirement.
> -Thanks,
>  Vijesh
>
>
> ________________________________________
> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> on behalf of
> Olivier Benghozi <olivier.benghozi at wifirst.fr>
> Sent: Thursday, April 23, 2015 11:39 AM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] solution to a firewall question
>
> Replace accept with next term in f1 ?
>
> next term works across filter list from what I see and according to the
> documentation (
> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
> <
> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
> ).
>
>
> Olivier
>
> > Le 23 avr. 2015 à 17:18, Vijesh Chandran <vijesh at juniper.net> a écrit :
> >
> > Hi all,
> >  I am wondering if we have a solution to this issue.
> >  I need two firewall attached to an interface as input-list. e.g.: f1
> and f2.
> >  Input-list [f1 f2]
> >  f1 to match a condition (all tcp port 80) and accept and count that
> packet.
> >  f2 to classify those packets based on code points and push to a
> forwarding class. Is this possible?
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list