If you only want them to have access to the internet and nothing else on that 172.16.0.0 private network, you could do this:
filter block-comm-a {
term 0-permit_traffic_a {
from {
destination-address {
172.16.0.0/24;
172.16.0.135/32 except;
172.16.0.152/32 except;
172.16.0.250/32 except;
}
}
then discard;
}
term 1000-implicit_allow {
then accept;
}
}
filter block-comm-b {
term 0-permit_traffic_b {
from {
destination-address {
172.16.0.0/24;
172.16.0.152/32 except;
172.16.0.250/32 except;
}
}
then discard;
}
term 1000-implicit_allow {
then accept;
}
}
Note the changes in the filter. The first term is denying all traffic to your 172.16.0.0/24 network except for the IP addresses listed, then permitting all traffic in the following term. Alternatively, you could create one more term on each of the first set of example filters that denies traffic to the rest of the 172.16.0.0/24 network and just modify the last term to 'accept'. Be aware that if you add terms, you need to re-order the terms properly using the 'insert' command. For further details, I suggest reading through the docs here:
http://www.juniper.net/techpubs/en_US/junos13.1/information-products/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html