firewall {
    family inet {
        replace:
        /*
        ** $Id: ./filters/sample_tug_wlc_fw.jcl $
        ** $Date: 2015/03/26 $
        **
        ** this is a sample output filter that generates
        ** multiplatform for tug wlc protection
        */
        filter fw_tug_wlc_protect {
            interface-specific;
            term permit-icmp {
                from {
                    destination-address {
                        109.105.104.16/28; /* Wireless Controller net */
                    }
                    protocol icmp;
                }
                then {
                    accept;
                }
            }
            term permit-traceroute {
                from {
                    destination-address {
                        109.105.104.16/28; /* Wireless Controller net */
                    }
                    protocol udp;
                    destination-port 33434-33534;
                }
                then {
                    accept;
                }
            }
            term permit-NORDUnet {
                from {
                    source-address {
                        109.105.96.0/19;
                        130.242.82.30/32; /* AP FRE POP */
                        130.242.121.137/32; /* AP LULE POP */
                        193.10.252.0/24;
                        193.10.254.0/24;
                        193.11.3.0/24;
                        194.68.13.0/24;
                    }
                    destination-address {
                        109.105.104.16/28; /* Wireless Controller net */
                    }
                }
                then {
                    accept;
                }
            }
            term default-deny {
                then {
                    discard;
                }
            }
        }
    }
}