Normally when configuring firewall filters conflicting match conditions, for example 'port' and 'port-except' are not allowed.
However, it appears to be possible to bypass this restriction and create a self-contradictory filter term by using a configuration group:
This term says both to match
and not match packets with port 5001.
[edit firewall filter loop]
xxx@icr01.xxxxx# show | display inheritance terse
term 1 {
from {
port 5001; ## inherited from group '1'
port-except 5001;
}
then {
count 1;
reject;
}
}
My question is: How is the device supposed to behave in this case, or is this left undefined?
In my testing it appeared that the filter always matched packets with port 5001 (despite also saying not to) irrespective of whether the 'port' statement or 'port-except' statement was the inherited one, which seems to go against the typical behavior of the more specific config overriding the inherited one.
Thanks
------------------------------
Oliver Brown
------------------------------