Expand all | Collapse all

Firewall filter input-list

Jump to Best Answer
  • 1.  Firewall filter input-list

    Posted 07-17-2018 10:29
    Hi All, If I have 2 firewall filters which I want to apply to an interface as an input-list and one of the filters ends with a 'then discard' term does it matter about the order of the firewall filters in the input-list? What I mean is if I place the filter which ends with the discard term first in the list - i.e. BEFORE the other filter - will the first filter be the only one to be acted upon and the second filter will be ignored? Or, is it the case that once the first filter has been evaluated and acted upon the second filter in the list will still be evaluated and acted upon even though the first filter ends with a discard term? (because it's in list format and each filter is evaluated and acted upon regardless of the discard term in the first filter). For information purposes: the first filter (family inet) accepts only certain source and destination addresses and ends with a discard term to block any other source and destination addresses, and the second filter (family inet) remarks the DSCP bits of incoming packets in order to align with the network's QoS policy. My reasoning for putting the filter with the discard term first in the input-list is that it seems more efficient to filter the packets based on source and destination addresses first before remarking the DSCP bits of the packets which are actually allowed through ... TIA

  • 2.  RE: Firewall filter input-list
    Best Answer

    Posted 07-17-2018 11:35


    From what I read in Your OP, You have a filter, say, F1, than has a last term looking like

    set firewall family inet filter F1 term else then discard

    So, if this filter F1 is leftmost in the filter-list, any subsequent filters in that list (say, F2, F3 etc) won't work/be evaluated.




  • 3.  RE: Firewall filter input-list

    Posted 07-17-2018 11:40
    Many thanks Alex - I'll swap the order round so the filter with the discard term is last in the input-list