[j-nsp] filtering ssh session from list of source ip address
Richard A Steenbergen
ras at e-gerbil.net
Mon Jan 3 16:16:09 EST 2005
On Mon, Jan 03, 2005 at 08:54:30PM +0000, David Gethings wrote:
> On Mon, 2005-01-03 at 11:23 -0600, Erik Sundberg wrote:
> > How would i go about filtering the source of a ssh session to a m40,
> > from a
> > list of subnets. I have create a firewall policy, but i don't know to
> > apply
> > to all ssh sessions, without putting a poilcy on each interface.
> It is conventional to login to the loopback interface address. If you
> follow that convention then just apply the filter to the loopback
> interface.
A filter on the loopback interface installs hardware (pfe-based) filters
any packet that would travel to the routing engine, on the loopback IP(s)
as well as all of the local interface IPs.
For example, if you have interface ge-0/0/0 unit 0 family inet address
1.2.3.1/24, packets directed to 1.2.3.1 would match against loopback
filters and, if denied, would never be transmitted over the internal fxp1
to the RE.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list