Understanding How Firewall Filters Are Evaluated
A firewall filter consists of one or more terms, and the order of the terms within a firewall filter is important. Before you configure firewall filters, you should understand how Juniper Networks EX Series Ethernet Switches evaluate the terms within a firewall filter and how packets are evaluated against the terms.
When a firewall filter consists of a single term, the filter is evaluated as follows:
If the packet matches all the conditions, the action in the
then
statement is taken.If the packet matches all the conditions, and no action is specified in the
then
statement, the default action accept is taken.
When a firewall filter consists of more than one term, the firewall filter is evaluated sequentially:
The packet is evaluated against the conditions in the
from
statement in the first term.If the packet matches all the conditions in the term, the action in the
then
statement is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.If the packet does not match all the conditions in the term, the packet is evaluated against the conditions in the
from
statement in the second term.This process continues until either the packet matches the conditions in the
from
statement in one of the subsequent terms or there are no more terms in the filter.If a packet passes through all the terms in the filter without a match, the packet is discarded.
Figure 1 shows how an EX Series switch evaluates the terms within a firewall filter.
If a term does not contain a from
statement, the
packet is considered to match and the action in the then
statement of the term is taken.
If a term does not contain a then
statement, or if
an action has not been configured in the then
statement,
and the packet matches the conditions in the from
statement
of the term, the packet is accepted.
Every firewall filter contains an implicit deny
statement
at the end of the filter, which is equivalent to the following explicit
filter term:
term implicit-rule { then discard; }
Consequently, if a packet passes through all the terms in a filter without matching any conditions, the packet is discarded. If you configure a firewall filter that has no terms, all packets that pass through the filter are discarded.