Junos OS

I was looking to see if combining two rules to an output-list that ended with a term that accepted all traffic would still process the other list or it would just pass all traffic? My example rules are below, and they both end with a term that accepts all other traffic.

filter Trusted-Voice {
term Site-1-SIP {
from {
address {
1.1.1.1/32;
}
protocol [ tcp udp ];
port [ 5060 5082 ];
}
then {
forwarding-class AF31;
accept;
}
}
term Site-1-RTP {
from {
address {
1.1.1.1/32;
}
}
then {
forwarding-class EF;
accept;
}
}
term Site-2-SIP {
from {
address {
2.2.2.2/32;
}
protocol [ tcp udp ];
port [ 5060 5082 ];
}
then {
forwarding-class AF31;
accept;
}
}
term Site-2-RTP {
from {
address {
2.2.2.2/32;
}
}
then {
forwarding-class EF;
accept;
}
}
term Default {
then accept;
}
}

filter PCoIP {
term 1 {
from {
source-address {
0.0.0.0/0;
}
destination-address {
0.0.0.0/0;
}
port 4172;
}
then forwarding-class AF21;
}
term 2 {
then accept;
}
}
}

you would merge the two filters into a single one for this application.

Will the 2.2.2.2/32 address need to hit the PCoIP rule?

Then the term 1 from PCoIP will go before this term Site-2-RTP when combined into one list.

Or should they all be EF class?

Then the term 1 from PCoIP goes right before the default term in the combined list.

Thanks to both of you, that clears that up!

If you use output-list or input-list, the individual firewall filters will be logically concatenated into a single firewall filter. So, in your case, the second filter won't be executed as the last term of the first filter will already accept all packets, i.e. you need to remove this term in order to get the list working. The implicit reject all will be added to the end of the filter chain.

Cheers,

Carsten