Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
in one filter within a filter, or the source address, as defined in another term or filter within
a filter.
In contrast, in a standard firewall filter, multiple conditions within a single term are applied
in a multiple AND order. If you specify more than one match condition within a single
term, both conditions (for example, source port and source address) must be met for a
packet to match.
An additional advantage of nested firewall filters is that if you need to update a specific
filter within a filter, you can do so without having to update the nested filter itself.
The following example shows a nested firewall filter configuration. First, you define the
Filter f1 that you want to nest within a firewall filter. Then you reference Firewall Filter f1
within the nested firewall filter, named f2. When you need to update Filter f1, you can do
so without having to update Filter f2. The example also includes standard Filter f3, which
you also apply as part of input list. You then apply firewall Filters f2 and f3 to interface
so-1/2/3 unit 0 as an input list. You do not need to apply filter f1 directly to the interface
because it is referenced in Filter f2.
• Defining Filter f1
[edit firewall]
family inet {
filter f1 {
from {
source-address 192.168.27.14;
}
then count got-one;
}
}
• Nesting Filter f1 in Filter f2
[edit firewall]
family inet {
filter f2 {
term 1
filter f1; # Reference filter f1 defined at the [edit firewall] hierarchy level.
# You must reference the filter within a term. Include only the name
# of the filter you want to reference.
}
term 2 {
from {
source-port 3000;
}
then accept;
}
}
}
• Configuring standard firewall Filter f3
[edit firewall]
family inet {
filter f3 {
term 3 {
242
Copyright © 2010, Juniper Networks, Inc.