I also do not see why icmp would not be accepted on your second policy.
I would try adding the count to all the terms and see which one icmp is hitting as a start.
And perhaps rearranging the order of the terms to see if there might be some kind of interaction that is not obvious.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 11-17-2021 11:45
From: Unknown User
Subject: Firewall filter question
I have a pair of routers to be peered with BGP
RA -----BGP(BFD)----- RB
I have the following filters
set firewall family inet filter re-protection term icmp from protocol icmpset firewall family inet filter re-protection term icmp then acceptset firewall family inet filter re-protection term bfd from protocol udpset firewall family inet filter re-protection term bfd then acceptset firewall family inet filter re-protection term tcp from protocol tcpset firewall family inet filter re-protection term tcp from port bgpset firewall family inet filter re-protection term tcp then acceptset firewall family inet filter re-protection term dropAll then reject
It worked fine.
But at first I had the following:
set firewall family inet filter re-protection term bfd from protocol udpset firewall family inet filter re-protection term bfd then acceptset firewall family inet filter re-protection term tcp from protocol tcpset firewall family inet filter re-protection term tcp from port bgpset firewall family inet filter re-protection term icmp from protocol icmpset firewall family inet filter re-protection term icmp then acceptset firewall family inet filter re-protection term tcp then acceptset firewall family inet filter re-protection term dropAll then reject
Then ICMP is not allowed.
Can anyone shed some light on it ?
thanks !!