Hi,
If our objective is to drop a packet, it is efficient to do it at stateless firewall filters itself(i,e in the intial stages of packet processing) , rather than denying it at security policies (stateful inspection). Also, for acheiving our objective we need more inputs like context (from-zone,to-zone,src-ip,dst-ip,application) all of which are mandatory for a security policy.
coming to deletion of hosts from the firewall filter, i have prepared one more op script ..
pradeep@srx> show configuration firewall family inet filter block
term badhosts {
from {
source-address {
5.6.7.8/32;
1.2.3.4/32;
}
}
then {
reject;
}
}
term others {
then accept;
}
pradeep@srx> op remove ?
Possible completions:
<[Enter]> Execute this command
<name> Argument name
detail Display detailed output
host Enter the host ip address to be removed from the blocklist
| Pipe through a command
pradeep@srx> op remove host 5.6.7.8
pradeep@srx> show configuration firewall family inet filter block
term badhosts {
from {
source-address {
1.2.3.4/32;
}
}
then {
reject;
}
}
term others {
then accept;
}
For more info on SLAX scripts, you can refer to DayOne Guides on Junos Automation (http://www.juniper.net/us/en/community/junos/script-automation/) check the Recommended Reading Section of this .
Hope this helps !