[j-nsp] filtering ssh session from list of source ip address
Roberts, Michael J. (IATS)
RobertsMJ at missouri.edu
Mon Jan 3 12:26:53 EST 2005
I assume you are wanting to control SSH access to the RE. This is applied
to lo0 on our M20s. Works pretty darn well. Keeps a hit count on the
nasties as well.
Otherwise if you apply to all interfaces, you are controlling SSH session
packets that your M40 routes. I could be mistaken on that logic though...
-mike
term 10 {
from {
source-address {
xxx.xxx.xxx.xxx/yy;
}
port [ domain ssh snmp snmptrap ];
}
then {
count cli;
accept;
}
}
term 20 {
from {
port ssh;
}
then {
count cli_reject;
discard;
}
}
term 30 {
then accept;
}
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Erik Sundberg
Sent: Monday, January 03, 2005 11:24 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] filtering ssh session from list of source ip address
Hello,
How would i go about filtering the source of a ssh session to a m40, from a
list of subnets. I have create a firewall policy, but i don't know to apply
to all ssh sessions, without putting a poilcy on each interface.
I don't need to limit the number ssh of connections/session to the m40
m40, junos 5.7, scb Internet process II
this is the policy that i created
filter ssh-local {
term 10 {
from {
source-address {
192.168.0.0/24
192.168.1.0/24
}
}
then accept;
}
term 50 {
then {
discard;
}
}
}
Thanks in advance
erik
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list