RE: Juniper router Fails

From: Dennis Ponne (dennis@tune-in.nl)
Date: Mon Jan 14 2002 - 13:12:30 EST


Thanks Guy and Paul,

It was a terrible mistake and i see now that this won't work what i had in
mind. I forget the term "and then accept"

Thanks for all your help!

Greetings,

Dennis Ponne
NetHolding BV

-----Original Message-----
From: Guy Davies [mailto:Guy.Davies@telindus.co.uk]
Sent: maandag 14 januari 2002 16:23
To: 'Dennis Ponne'
Cc: 'juniper-nsp@puck.nether.net'
Subject: RE: Juniper router Fails

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Dennis,

Did you add the firewall filter Security after you last logged in.
If I'm reading it correctly, it will permit ftp and telnet from a
single source and reject *all* other traffic to the RE. This will
cause no end of problems. You need to add some denies to prevent all
other telnets/ftp getting through and then a default permit.

Something like this should do the trick...

firewall {
    filter Security {
        term 10 {
            from {
                source-address {
                    194.53.244.18/32;
                }
                protocol tcp;
                destination-port [ telnet ftp ];
            }
            then accept;
        }
        term 20 {
            from {
                protocol tcp;
                destination-port [ telnet ftp ];
            }
            then reject;
        }
        term default {
            then accept;
        }
    }
}

You've also got an entry for the broadcast address which is actually
specified as the network address (rather than the broadcast). You
really ought to fix that.

Regards,

Guy

> -----Original Message-----
> From: Dennis Ponne [mailto:dennis@garnierprojects.com]
> Sent: Monday, January 14, 2002 3:09 PM
> To: juniper-nsp@puck.nether.net
> Subject: Juniper router Fails
>
>
> Hello,
>
> I have a M20 backbone router from juniper and last saturday i have
> configured the FXP0 and I was able to ping to it. But today
> when i started
> the router it wouldn't ping on any interface anymore.
>
> I have tried the FastEthernet ports and the gigabit LX
> interfaces but with
> no succes does somebody know what this problem is?
>
> Here is my plain and simple configuration:
>
> version 4.0R3.1;
> system {
> host-name ams01;
> domain-name netholding.nl;
> login {
> class All {
> permissions all;
> }
> user test {
> uid 2000;
> class All;
> authentication {
> encrypted-password
> "$1$V8F2.$mA589tS.yvNbw7S2oOLzh/"; #
> SECRET-D
> ATA
> }
> }
> }
> services {
> telnet connection-limit 8;
> }
> syslog {
> user * {
> any emergency;
> any emergency;
> }
> file messages {
> any notice;
> authorization info;
> }
> }
> }
> interfaces {
> fxp0 {
> unit 0 {
> family inet {
> address 194.53.244.128/24 {
> broadcast 194.53.244.0;
> primary;
> }
> }
> }
> }
> lo0 {
> unit 0 {
> family inet {
> filter {
> input Security;
> }
> address 127.0.0.1/32;
> }
> }
> }
> }
> firewall {
> filter Security {
> term 10 {
> from {
> source-address {
> 194.53.244.18/32;
> }
> destination-port [ telnet ftp ];
> }
> then accept;
> }
> }
> }
>
> Thanks in advance,
>
> Dennis Ponne
> NetHolding BV
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPEL3oY3dwu/Ss2PCEQLsCACeI9oMIO6z7w70tYBeCodx8gTh528AoJSm
tvs7TgRs10uil7lkWdXiTD/s
=Wz+M
-----END PGP SIGNATURE-----

.



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:38 EDT