Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
terms that apply to many or most of the interface. You can then apply each unique filter
only to the specific interface for which it is defined, along with the filter or filters that
apply to many interfaces. This approach gives you the flexibility of being able to update
a filter that applies only to one interface without having to update the configuration for
all the other interfaces.
A second approach to chaining multiple firewall filters is to configure one or more filters
within a filter, or nested firewall filter. To configure a nested firewall filter, you must first
define each filter that you plan to nest by configuring it at the [edit firewall] hierarchy
level. You then reference each filter you want to nest by including the filter filter-name
statement at the [edit firewall filter filter-name family family-name term term-name]
hierarchy level. You can then apply any combination of nested and standard firewall
filters to interfaces as input lists or output lists. The advantage of this approach is that
you can update any referenced firewall filter without having to update the nested firewall
filter itself. Another advantage of nested firewall filters is that you can include a filter
that you defined at the [edit firewall] hierarchy level in multiple nested filters.
In the following example, you configure multiple firewall filters, each of which is applied
individually as part of an input list or an output list. Configuring multiple filters that include
only one term enables you to update any one filter quickly without affecting any of the
other filters.
[edit]
firewall {
family inet {
filter if1 {
term 0 {
from {
destination-port 21;
}
then accept;
}
}
filter if2 {
term 0 {
from {
destination-port 23;
}
then accept;
}
}
filter if3 {
term 0 {
from {
destination-port 22;
}
then accept;
}
}
filter of1 {
term 0 {
from {
dscp af11;
240
Copyright © 2010, Juniper Networks, Inc.