[j-nsp] filtering ssh session from list of source ip address

Roberts, Michael J. (IATS) RobertsMJ at missouri.edu
Mon Jan 3 12:26:53 EST 2005


I assume you are wanting to control SSH access to the RE.  This is applied
to lo0 on our M20s.  Works pretty darn well.  Keeps a hit count on the
nasties as well.

Otherwise if you apply to all interfaces, you are controlling SSH session
packets that your M40 routes.  I could be mistaken on that logic though...

-mike

term 10 {
    from {
        source-address {
            xxx.xxx.xxx.xxx/yy;
        }
        port [ domain ssh snmp snmptrap ];
    }
    then {
        count cli;
        accept;
    }
}
term 20 {
    from {
        port ssh;
    }
    then {
        count cli_reject;
        discard;
    }
}
term 30 {
    then accept;
}

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Erik Sundberg
Sent: Monday, January 03, 2005 11:24 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] filtering ssh session from list of source ip address

Hello,

How would i go about filtering the source of a ssh session to a m40, from a
list of subnets. I have create a firewall policy, but i don't know to apply
to all ssh sessions, without putting a poilcy on each interface.

I don't need to limit the number ssh of connections/session to the m40

m40, junos 5.7, scb Internet process II

this is the policy that i created

filter ssh-local {
    term 10 {
        from {
            source-address {
			192.168.0.0/24
			192.168.1.0/24
            }
        }
        then accept;
    }
    term 50 {
        then {
            discard;
        }
    }
}


Thanks in advance

erik



_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list