Correcting myself here--the ex2200 doesn't support named ports, you have to specify numerically. The 'port [ ssh telnet ]' specification was ignored as indicated, leaving the filter with only the tcp term.
set interfaces ge-0/1/0 unit 0 family inet filter input local_acl set interfaces ge-0/1/0 unit 0 family inet address 2.2.2.2/30 set interfaces vlan unit 71 family inet filter input local_acl set interfaces vlan unit 71 family inet address 1.1.1.1/24 set policy-options prefix-list external_ips 1.1.1.1/32 set policy-options prefix-list external_ips 2.2.2.2/32 set firewall family inet filter local_acl term terminal_access from source-address 10.0.0.0/8 set firewall family inet filter local_acl term terminal_access from destination-prefix-list external_ips set firewall family inet filter local_acl term terminal_access from protocol tcp set firewall family inet filter local_acl term terminal_access from destination-port 22 set firewall family inet filter local_acl term terminal_access from destination-port 23 set firewall family inet filter local_acl term terminal_access then accept set firewall family inet filter local_acl term terminal_access_denied from destination-prefix-list external_ips set firewall family inet filter local_acl term terminal_access_denied from protocol tcp set firewall family inet filter local_acl term terminal_access_denied from destination-port 22 set firewall family inet filter local_acl term terminal_access_denied from destination-port 23 set firewall family inet filter local_acl term terminal_access_denied then log set firewall family inet filter local_acl term terminal_access_denied then discard set firewall family inet filter local_acl term default-term then accept