Chapter 1: Policy and Firewall Filters Introduction

13

This syntax only exists for backward compatibility and is not available
on newer Junos device platforms. For consistency, it is recommended
that you create all firewall filters under the appropriate family class.

Note that in the preceding example, the name of the firewall filter is
test-firewall filter – far better than something like “100” – and
that firewall filter names are configured under firewall family inet
as a filter.

Term
Terms in a firewall filter are used to group any matching criterion
together for a specific action to be applied. Like the policy term, the
firewall filter term identifies the matching conditions with the “from”
statements, and the actions under the “then” statements:
[edit firewall family inet filter test-firewall-filter]
jack# show
term sample-term {
from {
source-address {
192.168.0.0/16;
}
protocol gre;
}
then {
count sample-counter;
discard;
}
}
term last-term {
then accept;
}
Terms can contain multiple match conditions in Junos, but only a
single final action such as accept, reject, or discard. This is a big
distinction between Junos and other network operating systems.
Single line access lists must repeat match conditions for a given action,
while Junos firewall filters allow for the grouping of like match
conditions for a common action.

NOTE Advanced firewall options and syntax are covered in Chapter 4.

Firewall Filter Flow

When the Junos OS processes a firewall filter, it does so through a top
down process. As shown in Figure 1.2, Term A is processed first, then