Firewall Filter Configuration > Configuring Simple Filters

Simple filters are used to support Ethernet IQ2 PICs. A simple filter is a subset of a firewall filter with the following limitations:

• The next-term action is not supported.
• The except and protocol-except match conditions are not supported.
• Non-contiguous masks are not supported.
• Only one source-address and destination-address prefix are allowed for each filter term.

To configure simple filters, include the simple-filter statement at the [edit firewall family inet] hierarchy level:

[edit]

firewall {

    family inet {

        simple-filter filter-name {

            term term-name {

                from {

                    match-conditions;

                }

                then {

                    action; 

                    action-modifiers; 

                }

            }

        }

    }

}

For more information about Ethernet IQ2 PICs and related features, see the JUNOS Services Interfaces Configuration Guide and the JUNOS Class of Service Configuration Guide.

Example: Configuring a Simple Filter

Configure a simple filter to support Ethernet IQ2 PICs:

[edit]

firewall {

    family inet {

        simple-filter sf-1 {

            term 1 {

                from {

                    source-address 172.16.0.0/16;

                    destination-address 20.16.0.0/16;

                    source-port 1024-9071;

                }

                then {

                    forwarding-class fc-be1;

                    loss-priority high;

                    accept;

                }

            }

            term 2 {

                from {

                    source-address 173.16.0.0/16;

                    destination-address 21.16.0.0/16;

                }

                then { 

                    forwarding-class fc-ef1;

                    loss-priority low;

                    accept;

                }

            }

        }

    }

}