subject:"\[j\-nsp\] solution to a firewall question"

Re: [j-nsp] solution to a firewall question

2015-04-26 Thread Ben Dale



Hi Vijesh,

On 24 Apr 2015, at 1:18 am, Vijesh Chandran  wrote:

> Hi all,
>  I am wondering if we have a solution to this issue.
>  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
>  Input-list [f1 f2]
>  f1 to match a condition (all tcp port 80) and accept and count that packet.
>  f2 to classify those packets based on code points and push to a forwarding 
> class. Is this possible?
> 
> -Thanks,
> Vijesh
> 

If f2 is only matching on code-points, is there any reason you can't just use a 
class-of-service classifier instead for this functionality?

Cheers,

Ben

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

2015-04-24 Thread Olivier Benghozi

Yep:

http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-option-multiple-nested-guidelines-for-configuring.html
 
<http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-option-multiple-nested-guidelines-for-configuring.html>

-> "You cannot configure a firewall filter term that both references another 
firewall filter and defines a match condition or action. If a firewall filter 
term includes the filter statement, then it cannot also include the from or 
then statement."


Without "next term", you are doomed...
So, on EX/QFX you are doomed :)



> Le 24 avr. 2015 à 03:44, Vijesh Chandran  a écrit :
> 
> This would probably need a tweak. Juniper does not support filter reference 
> inside a term with 'from' inside it. There will be commit error. 
> however let me try this and come back. Thanks for solution.
> 
> -Thanks,
>  VIjesh
> 
> 
> From: Damien DeVille 
> Sent: Thursday, April 23, 2015 5:54 PM
> To: Vijesh Chandran
> Cc: Olivier Benghozi; juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] solution to a firewall question
>  
> You are correct -- I misread the documentation.  I think this will achieve 
> you goal  -- Though it would be simpler to write a filter with 2 terms the 
> first to match and count with an action of "next-term" and the second term to 
> classify and shunt the packets into a forwarding class.  
> 
> You can call one filter as part of another, in this example f2 (applied as 
> the input on the interface) calls f1 prior to processing the match conditions 
> in term 1:
> 
> ddeville@testlab-rtr# show
> unit 0 {
> family inet {
> filter {
> input f2;
> }
> dhcp;
> }
> }
> 
> ddeville@testlab-rtr# show firewall
> filter f1 {
> term 1 {
> from {
> protocol tcp;
> destination-port 80;
> }
> then {
> count tcp_80;
> accept;
> }
> }
> }
> filter f2 {
> term 1 {
> filter f1;
> from {
> dscp ef;
> }
> then {
> forwarding-class expedited-forwarding;
> accept;
> }
> }
> }
> 
> 
> 
> 
> 
> - Damien
> 
> On Thu, Apr 23, 2015 at 8:24 PM, Vijesh Chandran  <mailto:vij...@juniper.net>> wrote:
> Is there a programming difference between 'firewall filter' and 'firewall 
> family inet filter'? (ignore the v4 part of that)?
>   afaik, family inet filter will skip all subsequent term if a packet matches 
> first term. Is that not true for family filter? 
> 
> -Vijesh
> 
> From: Damien DeVille  <mailto:damien.devi...@gmail.com>>
> Sent: Thursday, April 23, 2015 5:17 PM
> To: Vijesh Chandran
> Cc: Olivier Benghozi; juniper-nsp@puck.nether.net 
> <mailto:juniper-nsp@puck.nether.net>
> 
> Subject: Re: [j-nsp] solution to a firewall question
>  
> Actually, my example is incorrect.  Filter f1 should read as follows:
> 
> ddeville@testlab-rtr# show firewall
> filter f1 {
> term 1 {
> from {
> protocol tcp;
> destination-port 80;
> }
> then {
> count tcp_80;
> }
> }
> }
> 
> When written this way, the second filter "f2" will be evaluated as part of 
> the chain.  
> Seehttp://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195
>  
> <http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195>
> 
> 
> 
> - Damien
> 
> On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille  <mailto:damien.devi...@gmail.com>> wrote:
> While I don't understand why you have the requirement that you can't use 
> next-term (seems to be arbitrary), you can accomplish this the "input-list" 
> option 
> (https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
>  
> <https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html>
> ) 
> 
> Here is a sample configuration:
> 
> ddeville@testlab-rtr# show interfaces ge-0/0/0
> unit 0 {
> family inet {
> filter {
> input-list [ f1 f2 ];
> }
> address 192.168.1.2/32 <http://192.168.1.2/32>;
> }
> }
> 
> ddeville@testlab-rtr# show firewall
> filter f1 {
> term 1 {
> from {
>

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Vijesh Chandran

This would probably need a tweak. Juniper does not support filter reference 
inside a term with 'from' inside it. There will be commit error.

however let me try this and come back. Thanks for solution.


-Thanks,

 VIjesh




From: Damien DeVille 
Sent: Thursday, April 23, 2015 5:54 PM
To: Vijesh Chandran
Cc: Olivier Benghozi; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] solution to a firewall question

You are correct -- I misread the documentation.  I think this will achieve you 
goal  -- Though it would be simpler to write a filter with 2 terms the first to 
match and count with an action of "next-term" and the second term to classify 
and shunt the packets into a forwarding class.

You can call one filter as part of another, in this example f2 (applied as the 
input on the interface) calls f1 prior to processing the match conditions in 
term 1:

ddeville@testlab-rtr# show
unit 0 {
family inet {
filter {
input f2;
}
dhcp;
}
}

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
accept;
}
}
}
filter f2 {
term 1 {
filter f1;
from {
dscp ef;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
}





- Damien

On Thu, Apr 23, 2015 at 8:24 PM, Vijesh Chandran 
mailto:vij...@juniper.net>> wrote:

Is there a programming difference between 'firewall filter' and 'firewall 
family inet filter'? (ignore the v4 part of that)?

  afaik, family inet filter will skip all subsequent term if a packet matches 
first term. Is that not true for family filter?


-Vijesh



From: Damien DeVille mailto:damien.devi...@gmail.com>>
Sent: Thursday, April 23, 2015 5:17 PM
To: Vijesh Chandran
Cc: Olivier Benghozi; 
juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>

Subject: Re: [j-nsp] solution to a firewall question

Actually, my example is incorrect.  Filter f1 should read as follows:

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
}
}
}

When written this way, the second filter "f2" will be evaluated as part of the 
chain.  See 
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195



- Damien

On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille 
mailto:damien.devi...@gmail.com>> wrote:
While I don't understand why you have the requirement that you can't use 
next-term (seems to be arbitrary), you can accomplish this the "input-list" 
option 
(https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
)

Here is a sample configuration:

ddeville@testlab-rtr# show interfaces ge-0/0/0
unit 0 {
family inet {
filter {
input-list [ f1 f2 ];
}
address 192.168.1.2/32<http://192.168.1.2/32>;
}
}

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
accept;
}
}
}
filter f2 {
term 1 {
from {
dscp ef;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
}





- Damien

On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran 
mailto:vij...@juniper.net>> wrote:
Hi Olivier,
 My bad that I didn't specify this in original mail...
Caveat here is that, next term shall be avoided as per requirement.
-Thanks,
 Vijesh



From: juniper-nsp 
mailto:juniper-nsp-boun...@puck.nether.net>>
 on behalf of Olivier Benghozi 
mailto:olivier.bengh...@wifirst.fr>>
Sent: Thursday, April 23, 2015 11:39 AM
To: juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
Subject: Re: [j-nsp] solution to a firewall question

Replace accept with next term in f1 ?

next term works across filter list from what I see and according to the 
documentation ( 
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
 
<http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
 ).


Olivier

> Le 23 avr. 2015 à 17:18, Vijesh Chandran 
> mailto:vij...@juniper.net>> a écrit :
>
> Hi all,
>  I am wondering if we have a solution to this issue.
>  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
>

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Damien DeVille

You are correct -- I misread the documentation.  I think this will achieve
you goal  -- Though it would be simpler to write a filter with 2 terms the
first to match and count with an action of "next-term" and the second term
to classify and shunt the packets into a forwarding class.

You can call one filter as part of another, in this example f2 (applied as
the input on the interface) calls f1 prior to processing the match
conditions in term 1:

ddeville@testlab-rtr# show
unit 0 {
family inet {
filter {
input f2;
}
dhcp;
}
}

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
accept;
}
}
}
filter f2 {
term 1 {
filter f1;
from {
dscp ef;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
}





- Damien

On Thu, Apr 23, 2015 at 8:24 PM, Vijesh Chandran  wrote:

>  Is there a programming difference between 'firewall filter' and
> 'firewall family inet filter'? (ignore the v4 part of that)?
>
>   afaik, family inet filter will skip all subsequent term if a packet
> matches first term. Is that not true for family filter?
>
>
>  -Vijesh
>
>
>  --
> *From:* Damien DeVille 
> *Sent:* Thursday, April 23, 2015 5:17 PM
> *To:* Vijesh Chandran
> *Cc:* Olivier Benghozi; juniper-nsp@puck.nether.net
>
> *Subject:* Re: [j-nsp] solution to a firewall question
>
>   Actually, my example is incorrect.  Filter f1 should read as follows:
>
> ddeville@testlab-rtr# show firewall
> filter f1 {
> term 1 {
> from {
> protocol tcp;
> destination-port 80;
> }
> then {
> count tcp_80;
> }
> }
> }
>
>  When written this way, the second filter "f2" will be evaluated as part
> of the chain.  See
> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195
>
>
>
> - Damien
>
> On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille 
> wrote:
>
>> While I don't understand why you have the requirement that you can't use
>> next-term (seems to be arbitrary), you can accomplish this the "input-list"
>> option (
>> https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
>> )
>>
>> Here is a sample configuration:
>>
>> ddeville@testlab-rtr# show interfaces ge-0/0/0
>> unit 0 {
>> family inet {
>> filter {
>> input-list [ f1 f2 ];
>> }
>> address 192.168.1.2/32;
>> }
>> }
>>
>> ddeville@testlab-rtr# show firewall
>> filter f1 {
>> term 1 {
>> from {
>> protocol tcp;
>> destination-port 80;
>> }
>> then {
>> count tcp_80;
>> accept;
>> }
>> }
>> }
>> filter f2 {
>> term 1 {
>> from {
>> dscp ef;
>> }
>> then {
>> forwarding-class expedited-forwarding;
>> accept;
>> }
>> }
>> }
>>
>>
>>
>>
>>
>> - Damien
>>
>> On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran 
>> wrote:
>>
>>> Hi Olivier,
>>>  My bad that I didn't specify this in original mail...
>>> Caveat here is that, next term shall be avoided as per requirement.
>>> -Thanks,
>>>  Vijesh
>>>
>>>
>>> 
>>> From: juniper-nsp  on behalf of
>>> Olivier Benghozi 
>>> Sent: Thursday, April 23, 2015 11:39 AM
>>> To: juniper-nsp@puck.nether.net
>>> Subject: Re: [j-nsp] solution to a firewall question
>>>
>>>  Replace accept with next term in f1 ?
>>>
>>> next term works across filter list from what I see and according to the
>>> documentation (
>>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
>>> <
>>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
>>> ).
>>>
>>>
>>> Olivier
>>>
>>> > Le 23 avr. 2015 à 17:

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Vijesh Chandran

Is there a programming difference between 'firewall filter' and 'firewall 
family inet filter'? (ignore the v4 part of that)?

  afaik, family inet filter will skip all subsequent term if a packet matches 
first term. Is that not true for family filter?


-Vijesh



From: Damien DeVille 
Sent: Thursday, April 23, 2015 5:17 PM
To: Vijesh Chandran
Cc: Olivier Benghozi; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] solution to a firewall question

Actually, my example is incorrect.  Filter f1 should read as follows:

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
}
}
}

When written this way, the second filter "f2" will be evaluated as part of the 
chain.  See 
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195



- Damien

On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille 
mailto:damien.devi...@gmail.com>> wrote:
While I don't understand why you have the requirement that you can't use 
next-term (seems to be arbitrary), you can accomplish this the "input-list" 
option 
(https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
)

Here is a sample configuration:

ddeville@testlab-rtr# show interfaces ge-0/0/0
unit 0 {
family inet {
filter {
input-list [ f1 f2 ];
}
address 192.168.1.2/32<http://192.168.1.2/32>;
}
}

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
accept;
}
}
}
filter f2 {
term 1 {
from {
dscp ef;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
}





- Damien

On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran 
mailto:vij...@juniper.net>> wrote:
Hi Olivier,
 My bad that I didn't specify this in original mail...
Caveat here is that, next term shall be avoided as per requirement.
-Thanks,
 Vijesh



From: juniper-nsp 
mailto:juniper-nsp-boun...@puck.nether.net>>
 on behalf of Olivier Benghozi 
mailto:olivier.bengh...@wifirst.fr>>
Sent: Thursday, April 23, 2015 11:39 AM
To: juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
Subject: Re: [j-nsp] solution to a firewall question

Replace accept with next term in f1 ?

next term works across filter list from what I see and according to the 
documentation ( 
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
 
<http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
 ).


Olivier

> Le 23 avr. 2015 à 17:18, Vijesh Chandran 
> mailto:vij...@juniper.net>> a écrit :
>
> Hi all,
>  I am wondering if we have a solution to this issue.
>  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
>  Input-list [f1 f2]
>  f1 to match a condition (all tcp port 80) and accept and count that packet.
>  f2 to classify those packets based on code points and push to a forwarding 
> class. Is this possible?

___
juniper-nsp mailing list 
juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list 
juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Damien DeVille

Actually, my example is incorrect.  Filter f1 should read as follows:

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
}
}
}

When written this way, the second filter "f2" will be evaluated as part of
the chain.  See
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195



- Damien

On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille 
wrote:

> While I don't understand why you have the requirement that you can't use
> next-term (seems to be arbitrary), you can accomplish this the "input-list"
> option (
> https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
> )
>
> Here is a sample configuration:
>
> ddeville@testlab-rtr# show interfaces ge-0/0/0
> unit 0 {
> family inet {
> filter {
> input-list [ f1 f2 ];
> }
> address 192.168.1.2/32;
> }
> }
>
> ddeville@testlab-rtr# show firewall
> filter f1 {
> term 1 {
> from {
> protocol tcp;
> destination-port 80;
> }
> then {
> count tcp_80;
> accept;
> }
> }
> }
> filter f2 {
> term 1 {
> from {
> dscp ef;
> }
> then {
> forwarding-class expedited-forwarding;
> accept;
> }
> }
> }
>
>
>
>
>
> - Damien
>
> On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran 
> wrote:
>
>> Hi Olivier,
>>  My bad that I didn't specify this in original mail...
>> Caveat here is that, next term shall be avoided as per requirement.
>> -Thanks,
>>  Vijesh
>>
>>
>> 
>> From: juniper-nsp  on behalf of
>> Olivier Benghozi 
>> Sent: Thursday, April 23, 2015 11:39 AM
>> To: juniper-nsp@puck.nether.net
>> Subject: Re: [j-nsp] solution to a firewall question
>>
>> Replace accept with next term in f1 ?
>>
>> next term works across filter list from what I see and according to the
>> documentation (
>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
>> <
>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
>> ).
>>
>>
>> Olivier
>>
>> > Le 23 avr. 2015 à 17:18, Vijesh Chandran  a écrit :
>> >
>> > Hi all,
>> >  I am wondering if we have a solution to this issue.
>> >  I need two firewall attached to an interface as input-list. e.g.: f1
>> and f2.
>> >  Input-list [f1 f2]
>> >  f1 to match a condition (all tcp port 80) and accept and count that
>> packet.
>> >  f2 to classify those packets based on code points and push to a
>> forwarding class. Is this possible?
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Damien DeVille

While I don't understand why you have the requirement that you can't use
next-term (seems to be arbitrary), you can accomplish this the "input-list"
option (
https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
)

Here is a sample configuration:

ddeville@testlab-rtr# show interfaces ge-0/0/0
unit 0 {
family inet {
filter {
input-list [ f1 f2 ];
}
address 192.168.1.2/32;
}
}

ddeville@testlab-rtr# show firewall
filter f1 {
term 1 {
from {
protocol tcp;
destination-port 80;
}
then {
count tcp_80;
accept;
}
}
}
filter f2 {
term 1 {
from {
dscp ef;
}
then {
forwarding-class expedited-forwarding;
accept;
}
}
}





- Damien

On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran  wrote:

> Hi Olivier,
>  My bad that I didn't specify this in original mail...
> Caveat here is that, next term shall be avoided as per requirement.
> -Thanks,
>  Vijesh
>
>
> 
> From: juniper-nsp  on behalf of
> Olivier Benghozi 
> Sent: Thursday, April 23, 2015 11:39 AM
> To: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] solution to a firewall question
>
> Replace accept with next term in f1 ?
>
> next term works across filter list from what I see and according to the
> documentation (
> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
> <
> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
> ).
>
>
> Olivier
>
> > Le 23 avr. 2015 à 17:18, Vijesh Chandran  a écrit :
> >
> > Hi all,
> >  I am wondering if we have a solution to this issue.
> >  I need two firewall attached to an interface as input-list. e.g.: f1
> and f2.
> >  Input-list [f1 f2]
> >  f1 to match a condition (all tcp port 80) and accept and count that
> packet.
> >  f2 to classify those packets based on code points and push to a
> forwarding class. Is this possible?
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Vijesh Chandran

Hi Olivier,
 My bad that I didn't specify this in original mail... 
Caveat here is that, next term shall be avoided as per requirement. 
-Thanks,
 Vijesh



From: juniper-nsp  on behalf of Olivier 
Benghozi 
Sent: Thursday, April 23, 2015 11:39 AM
To: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] solution to a firewall question

Replace accept with next term in f1 ?

next term works across filter list from what I see and according to the 
documentation ( 
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
 
<http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
 ).


Olivier

> Le 23 avr. 2015 à 17:18, Vijesh Chandran  a écrit :
>
> Hi all,
>  I am wondering if we have a solution to this issue.
>  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
>  Input-list [f1 f2]
>  f1 to match a condition (all tcp port 80) and accept and count that packet.
>  f2 to classify those packets based on code points and push to a forwarding 
> class. Is this possible?

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Olivier Benghozi

Replace accept with next term in f1 ?

next term works across filter list from what I see and according to the 
documentation ( 
http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
 

 ).


Olivier

> Le 23 avr. 2015 à 17:18, Vijesh Chandran  a écrit :
> 
> Hi all,
>  I am wondering if we have a solution to this issue.
>  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
>  Input-list [f1 f2]
>  f1 to match a condition (all tcp port 80) and accept and count that packet.
>  f2 to classify those packets based on code points and push to a forwarding 
> class. Is this possible?

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Vijesh Chandran

No subsequent term will be considered if a packet matches a term condition. 
Thats the problem here.

Combining both may not work here I would think.

From: Alexander Arseniev 
Sent: Thursday, April 23, 2015 9:56 AM
To: Vijesh Chandran; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] solution to a firewall question

Hello,
"next term" does not work across member filters in a filter list last time I 
checked.
So You have to combine/move these 2 functionalities into a single filter, which 
could be a member of filter-list.
Thanks
Alex

On 23/04/2015 16:18, Vijesh Chandran wrote:

Hi all,
  I am wondering if we have a solution to this issue.
  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
  Input-list [f1 f2]
  f1 to match a condition (all tcp port 80) and accept and count that packet.
  f2 to classify those packets based on code points and push to a forwarding 
class. Is this possible?

-Thanks,
 Vijesh

___
juniper-nsp mailing list 
juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

2015-04-23 Thread Alexander Arseniev


Hello,
"next term" does not work across member filters in a filter list last 
time I checked.
So You have to combine/move these 2 functionalities into a single 
filter, which could be a member of filter-list.

Thanks
Alex

On 23/04/2015 16:18, Vijesh Chandran wrote:

Hi all,
   I am wondering if we have a solution to this issue.
   I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
   Input-list [f1 f2]
   f1 to match a condition (all tcp port 80) and accept and count that packet.
   f2 to classify those packets based on code points and push to a forwarding 
class. Is this possible?

-Thanks,
  Vijesh

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] solution to a firewall question

2015-04-23 Thread Vijesh Chandran

Hi all,
  I am wondering if we have a solution to this issue.
  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
  Input-list [f1 f2]
  f1 to match a condition (all tcp port 80) and accept and count that packet.
  f2 to classify those packets based on code points and push to a forwarding 
class. Is this possible?

-Thanks,
 Vijesh

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

Re: [j-nsp] solution to a firewall question

[j-nsp] solution to a firewall question

12 matches

Site Navigation

Mail list logo

Footer information