Reordering Firewall Terms

Problem

You want to change the order of terms in a firewall filter.

Solution

Use the CLI insert command to rearrange the terms in a firewall filter:

[edit firewall filter incoming-to-me ] aviva@RouterF# insert term restrict-bgp before term restrict-telnet-ssh

Discussion

One difference between routing policies and firewall filters is that while you can apply several routing policies to a routing protocol, chaining them together as necessary, you can apply only one incoming and one outgoing firewall filter to an interface. This means that firewall filters generally contain a large number of terms.

As with routing policies, the order of the terms in a firewall filter is significant. Packets are tested against each term in the order. For performance and packet-handling efficiency, design each filter so the most important or time-critical packets are processed first. When you add a term to an existing filter, it appears at the end:

[edit firewall filter incoming-to-me] aviva@router1# set term restrict-bgp from protocol tcp aviva@router1# set term restrict-bgp from port bgp aviva@router1# set term restrict-bgp from source-address 10.0.31.0/24 aviva@router1# set term restrict-bgp then accept aviva@router1# show term restrict-telnet-ssh { from { source-address { 10.0.0.0/8; } protocol tcp; destination-port [ telnet ssh ]; } then accept; } term restrict-bgp { from { source-address { 10.0.31.0/24; } protocol tcp; port bgp; } then accept; }

Use the insert command to rearrange the terms. The command in this recipe moves the restrict-bgp term so that it precedes the restrict-telnet-ssh term. Check that the order is what you expect:

[edit firewall filter incoming-to-me ] aviva@RouterF# show term restrict-bgp { from { source-address { 10.0.31.0/24; } protocol tcp; port bgp; } then accept; } term restrict-telnet-ssh { from { source-address { 10.0.0.0/8; } protocol tcp; destination-port [ telnet ssh ]; } then accept; }