Junos OS

All,

I am trying to configure a firewall rule on an EX4200 switch to allow only ports 9100 and 515 to a vlan.  When I apply the config below, it seems to block all traffic.  Any suggestions?

set firewall family inet filter Restrict-Printer term T1 from source-address 192.168.0.0/16
set firewall family inet filter Restrict-Printer term T1 from destination-address 192.168.121.0/24
set firewall family inet filter Restrict-Printer term T1 from protocol tcp
set firewall family inet filter Restrict-Printer term T1 from source-port 9100
set firewall family inet filter Restrict-Printer term T1 from source-port 515
set firewall family inet filter Restrict-Printer term T1 from tcp-established
set firewall family inet filter Restrict-Printer term T1 then accept
set firewall family inet filter Restrict-Printer term T2 then discard
set interfaces vlan unit 121 family inet filter input Restrict-Printer

Hello,

This may help

http://showroute.net/juniper-ex-switch-arp-issues-with-re-filters/ 

Basically, with EX4200/3200 You have to avoid unconditional discard FW filter terms like below:

set firewall family inet filter Restrict-Printer term T1 from source-address 192.168.0.0/16 
set firewall family inet filter Restrict-Printer term T1 from destination-address 192.168.121.0/24 
set firewall family inet filter Restrict-Printer term T1 from protocol tcp 
set firewall family inet filter Restrict-Printer term T1 from source-port 9100
set firewall family inet filter Restrict-Printer term T1 from source-port 515 
set firewall family inet filter Restrict-Printer term T1 from tcp-established 
set firewall family inet filter Restrict-Printer term T1 then accept 
set firewall family inet filter Restrict-Printer term T2 from source-address 192.168.0.0/16
set firewall family inet filter Restrict-Printer term T2 from destination-address 192.168.121.0/24
set firewall family inet filter Restrict-Printer term T2 then discard
set firewall family inet filter Restrict-Printer term T3 then accept 
set interfaces vlan unit 121 family inet filter input Restrict-Printer

 HTH

Thanks
Alex

If the printers are located on the  vlan, then you need to apply the filter as an output filter. Input filter applies to traffic coming into the switch from the port. Output applies to traffic leaving the switch to the port. Also, I would remove this line. If the connection is not already established, then you will definitely be blocking all traffic.

set firewall family inet filter Restrict-Printer term T1 from tcp-established

I used the configuration and again it blocked all traffic.  I changed output to input and it appeared to work.  I couldn't ping a printer that was 192.168.121.11 from the switch.  However I could ping the printer from my desktop that is on a different vlan.

set firewall family inet filter Restrict-Printer term T1 from source-address 192.168.0.0/16 
set firewall family inet filter Restrict-Printer term T1 from destination-address 192.168.121.0/24 
set firewall family inet filter Restrict-Printer term T1 from protocol tcp 
set firewall family inet filter Restrict-Printer term T1 from source-port 9100
set firewall family inet filter Restrict-Printer term T1 from source-port 515 
set firewall family inet filter Restrict-Printer term T1 then accept 
set firewall family inet filter Restrict-Printer term T2 from source-address 192.168.0.0/16
set firewall family inet filter Restrict-Printer term T2 from destination-address 192.168.121.0/24
set firewall family inet filter Restrict-Printer term T2 then discard
set firewall family inet filter Restrict-Printer term T3 then accept 
set interfaces vlan unit 121 family inet filter output Restrict-Printer

Your filter is matching traffic from this network only, 192.168.0.0/16. If you want to allow traffic from any other network then you need to add that network. Better yet, create a filter input list and add the addresses to this list. And instead of using a single source address you use this list. You can add and remove address from this list only.