ON THIS PAGE
Example: Nesting References to Multiple Firewall Filters
This example shows how to configure nested references to multiple firewall filters.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you configure a firewall filter for a match condition and action combination that can be shared among multiple firewall filters. You then configure two firewall filters that reference the first firewall filter. Later, if the common filtering criteria needs to be changed, you would modify only the one shared firewall filter configuration.
Topology
The common_filter firewall filter discards packets that have a UDP source or destination port field number of 69. Both of the
two additional firewall filters, filter1 and filter2, reference the common_filter.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
- CLI Quick Configuration
- Configure the Nested Firewall Filters
- Apply Both Nested Firewall Filters to Interfaces
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the
CLI at the [edit] hierarchy level.
set firewall family inet filter common_filter term common_term from protocol udp set firewall family inet filter common_filter term common_term from port tftp set firewall family inet filter common_filter term common_term then discard set firewall family inet filter filter1 term term1 filter common_filter set firewall family inet filter filter1 term term2 from address 192.168.0.0/16 set firewall family inet filter filter1 term term2 then reject set firewall family inet filter filter2 term term1 filter common_filter set firewall family inet filter filter2 term term2 from protocol udp set firewall family inet filter filter2 term term2 from port bootps set firewall family inet filter filter2 term term2 then accept set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24 set interfaces ge-0/0/0 unit 0 family inet filter input filter1 set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24 set interfaces ge-0/0/3 unit 0 family inet filter input filter2
Configure the Nested Firewall Filters
Step-by-Step Procedure
To configure two nested firewall filters that share a common filter:
Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters.
[edit] user@host# edit firewall family inet
Configure the common filter that will be referenced by multiple other filters.
[edit firewall family inet] user@host# set filter common_filter term common_term from protocol udp user@host# set filter common_filter term common_term from port tftp user@host# set filter common_filter term common_term then discard
Configure a filter that references the common filter.
[edit firewall family inet] user@host# set filter filter1 term term1 filter common_filter user@host# set filter filter1 term term2 from address 192.168.0.0/16 user@host# set filter filter1 term term2 then reject
Configure a second filter that references the common filter.
[edit firewall family inet] user@host# set filter filter2 term term1 filter common_filter user@host# set filter filter2 term term2 from protocol udp user@host# set filter filter2 term term2 from port bootps user@host# set filter filter2 term term2 then accept
Apply Both Nested Firewall Filters to Interfaces
Step-by-Step Procedure
To apply both nested firewall filters to logical interfaces:
Apply the first nested filter to a logical interface input.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24 user@host# set interfaces ge-0/0/0 unit 0 family inet filter input filter1
Apply the second nested filter to a logical interface input.
[edit] user@host# set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24 user@host# set interfaces ge-0/0/3 unit 0 family inet filter input filter2
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the firewall filter by entering the
show firewallconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter common_filter { term common_term { from { protocol udp; port tftp; } then { discard; } } } filter filter1 { term term1 { filter common_filter; } term term2 { from { address 192.168/16; } then { reject; } } } filter filter2 { term term1 { filter common_filter; } term term2 { from { protocol udp; port bootps; } then { accept; } } } }Confirm the configuration of the interface by entering the
show interfacesconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces ge-0/0/0 { unit 0 { family inet { filter { input filter1; } address 10.1.0.1/24; } } } ge-0/0/3 { unit 0 { family inet { filter { input filter2; } address 10.1.3.1/24; } } }If you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
To confirm that the configuration is working properly, enter the show firewall filter filter1 and show
firewall filter filter2 operational mode commands.