[j-nsp] solution to a firewall question

Damien DeVille damien.deville at gmail.com
Thu Apr 23 20:17:12 EDT 2015 

Actually, my example is incorrect.  Filter f1 should read as follows:

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
        }
    }
}

When written this way, the second filter "f2" will be evaluated as part of
the chain.  See
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195



- Damien

On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille <damien.deville at gmail.com>
wrote:

> While I don't understand why you have the requirement that you can't use
> next-term (seems to be arbitrary), you can accomplish this the "input-list"
> option (
> https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
> )
>
> Here is a sample configuration:
>
> ddeville at testlab-rtr# show interfaces ge-0/0/0
> unit 0 {
>     family inet {
>         filter {
>             input-list [ f1 f2 ];
>         }
>         address 192.168.1.2/32;
>     }
> }
>
> ddeville at testlab-rtr# show firewall
> filter f1 {
>     term 1 {
>         from {
>             protocol tcp;
>             destination-port 80;
>         }
>         then {
>             count tcp_80;
>             accept;
>         }
>     }
> }
> filter f2 {
>     term 1 {
>         from {
>             dscp ef;
>         }
>         then {
>             forwarding-class expedited-forwarding;
>             accept;
>         }
>     }
> }
>
>
>
>
>
> - Damien
>
> On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran <vijesh at juniper.net>
> wrote:
>
>> Hi Olivier,
>>  My bad that I didn't specify this in original mail...
>> Caveat here is that, next term shall be avoided as per requirement.
>> -Thanks,
>>  Vijesh
>>
>>
>> ________________________________________
>> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> on behalf of
>> Olivier Benghozi <olivier.benghozi at wifirst.fr>
>> Sent: Thursday, April 23, 2015 11:39 AM
>> To: juniper-nsp at puck.nether.net
>> Subject: Re: [j-nsp] solution to a firewall question
>>
>> Replace accept with next term in f1 ?
>>
>> next term works across filter list from what I see and according to the
>> documentation (
>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
>> <
>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
>> ).
>>
>>
>> Olivier
>>
>> > Le 23 avr. 2015 à 17:18, Vijesh Chandran <vijesh at juniper.net> a écrit :
>> >
>> > Hi all,
>> >  I am wondering if we have a solution to this issue.
>> >  I need two firewall attached to an interface as input-list. e.g.: f1
>> and f2.
>> >  Input-list [f1 f2]
>> >  f1 to match a condition (all tcp port 80) and accept and count that
>> packet.
>> >  f2 to classify those packets based on code points and push to a
>> forwarding class. Is this possible?
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>

More information about the juniper-nsp mailing list