Re: VLAN firewall filter issue on EX switch

I tried:

 ---

set firewall family inet filter eveo_in2 term allow_dst_srv01 from source-address 0.0.0.0/0
set firewall family inet filter eveo_in2 term allow_dst_srv01 from destination-address 172.16.100.10/32
set firewall family inet filter eveo_in2 term allow_dst_srv01 from protocol icmp
set firewall family inet filter eveo_in2 term allow_dst_srv01 from protocol tcp
set firewall family inet filter eveo_in2 term allow_dst_srv01 from destination-port 22
set firewall family inet filter eveo_in2 term allow_dst_srv01 from destination-port 80
set firewall family inet filter eveo_in2 term allow_dst_srv01 then count allow_dst_srv01
set firewall family inet filter eveo_in2 term allow_dst_srv01 then accept

set firewall family inet filter eveo_in2 term allow_src_srv01 from source-address 0.0.0.0/0
set firewall family inet filter eveo_in2 term allow_src_srv01 from destination-address 172.16.100.10/32
set firewall family inet filter eveo_in2 term allow_src_srv01 from protocol tcp
set firewall family inet filter eveo_in2 term allow_src_srv01 from protocol udp
set firewall family inet filter eveo_in2 term allow_src_srv01 from protocol icmp
set firewall family inet filter eveo_in2 term allow_src_srv01 from source-port 1-1023
set firewall family inet filter eveo_in2 term allow_src_srv01 from source-port 1024-49151
set firewall family inet filter eveo_in2 term allow_src_srv01 then count allow_src_srv01
set firewall family inet filter eveo_in2 term allow_src_srv01 then accept

set firewall family inet filter eveo_in2 term Deny_Access from source-address 0.0.0.0/0
set firewall family inet filter eveo_in2 term Deny_Access from destination-address 172.16.100.10/32
set firewall family inet filter eveo_in2 term Deny_Access then count Deny_Access
set firewall family inet filter eveo_in2 term Deny_Access then discard

set firewall family inet filter eveo_in2 term Default then accept

--- 

But this way the input is also being allowed through term allow_src_srv01.

For example, if  the server from IP 172.16.100.10 has the port 8000 runing and it port isn't being allowed on the term allow_dst_srv01, the access is allowed though term allow_src_srv01.

---

From the server on the LAN

# ip a show dev bond0 |grep inet |grep -v inet6
inet 172.16.100.10/24 brd 172.16.100.255 scope global bond0

# python -m BaseHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...

---

From my note

$ ip a show dev enp11s0 |grep inet |grep -v inet6
inet 192.168.0.151/24 brd 192.168.0.255 scope global dynamic enp11s0

$ telnet 172.16.100.10 8000
Trying 172.16.100.10...
Connected to 172.16.100.10.
Escape character is '^]'.

---

From EX

# run clear firewall all

# run show firewall filter eveo_in2

Filter: eveo_in2
Counters:
Name Bytes Packets
Deny_Access 0 0
allow_dst_srv01 0 0
allow_src_srv01 148 2

Thank you