Policy Framework Configuration Guide - Juniper Networks

Chapter 9: Firewall Filter Configuration
nonterminating-actions;
}
BEST PRACTICE: We strongly recommend that you always explicitly configure
an action in the then statement. If you do not, or if you omit the then statement
entirely, packets that match the conditions in the from statement are
accepted.
You can specify only one filter terminating action statement (or omit it), but you can
specify any combination of nonterminating actions. For the action or nonterminating
action to take effect, all conditions in the from statement must match. If you specify log
as one of the actions in a term, this constitutes a terminating action; whether any
additional terms in the filter are processed depends on the traffic through the filter.
The nonterminating action operations carry a default accept action. For example, if you
specify a nonterminating action and do not specify an action, the specified nonterminating
action is implemented and the packet is accepted. To circumvent an implicit accept
action and allow the Junos OS to the evaluate the following term in the filter, use the
next term statement.
The following actions are terminating actions:
• accept
• discard
• reject
• logical-system logical-system-name
• routing-instance routing-instance-name
• topology topology-name
NOTE: You cannot configure the next term action with a terminating action
in the same filter term. You can only configure the next term action with
another nonterminating action in the same filter term.
Policing uses a specific type of action, known as a policer action. For more information,
see “Policer Actions” on page 278.
For more information about forwarding classes and loss priority, see the Junos OS Class
of Service Configuration Guide.
Table 35 on page 228 shows the complete list of filter actions, both terminating and
nonterminating.
Copyright © 2010, Juniper Networks, Inc.
227