Policy Framework Configuration Guide - Juniper Networks

Chapter 9: Firewall Filter Configuration
from {
icmp-code 3;
}
then accept;
}
}
}
• Applying Filters f2 and f3 as an input list
[edit interfaces so-1/2/3]
unit 0 {
family inet {
filter {
input-list [ f2 f3 ]; # When you apply filter f2, it includes the referenced filter # f1.
}
}
}
When you configure a list of firewall filters and apply them to an interface using either
the input-list or output-list statement, the filters are concatenated into one consolidated
and renamed firewall filter, and all policers and counters are also renamed. Each filter in
the list is evaluated in the order in which it is applied to the interface.
The concatenated firewall filter is renamed based on the name of the interface and the
direction in which the filter is applied:
• A list of firewall filters applied as input filters on interface so-1/0/0 unit 0 becomes
so-1/0/0.0-i.
• A list of firewall filters applied as output filters on interface so-1/1/1 unit 0 becomes
so-1/1/1.0-o.
Any counters or policers in the filter list are also renamed. The interface name and the
letter o or i to indicate the direction of the filter are added to the end of the original counter
name as follows:
• A counter named bad-packets in a filter applied in an output list to interface so-2/2/0
unit 0 becomes bad-packets-so-2/2/0.0-o.
• A counter named icmp-code-3 in a filter applied in an input list to interface so-3/3/0
unit 0 becomes icmp-code-3-so-3/3/0.0-i.
Understanding how firewall filter lists are displayed is important when you use the show
firewall command to view information about configured firewall filters. For example, the
entry for a firewall filter named c that is applied in an output list to interface at-1/0/1 unit
0 is displayed as c-at-1/0/1.0-o.
Related
Documentation
• Configuring Nested Firewall Filters on page 233
• Applying Firewall Filters to Interfaces on page 235
Copyright © 2010, Juniper Networks, Inc.
243