[j-nsp] access-class ?
Bostjan Fele
bostjan.fele at smart-com.si
Mon May 16 07:19:44 EDT 2005
You can configure filter on loopback interface. In filter specify term for
telnet/ssh to accept, in second term discard all other telnet/ssh traffic,
last term accept all other traffic. Last term is important because of
routing updates (BGP, LDP, ..) and you probably do not want to filter out
those.
Here is a sample config which is probably an overkill:
firewall {
family inet {
filter protect {
term Telnet {
from {
source-address {
10.0.0.0/24;
10.0.1.0/24;
10.0.11.0/24;
10.0.12.0/24;
10.0.15.0/24;
192.9.100.0/24;
192.9.101.0/24;
192.9.102.0/24;
10.0.13.0/24;
192.9.110.0/24;
}
protocol tcp;
destination-port telnet;
}
then accept;
}
term SSH {
from {
source-address {
10.0.0.0/24;
10.0.1.0/24;
10.0.11.0/24;
10.0.12.0/24;
10.0.15.0/24;
192.9.100.0/24;
192.9.101.0/24;
192.9.102.0/24;
195.250.196.0/24;
10.0.13.0/24;
192.9.110.34/32;
192.9.110.33/32;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term SNMP {
from {
source-address {
192.9.100.0/24;
192.9.101.0/24;
192.9.102.0/24;
192.9.110.33/32;
192.9.110.34/32;
}
protocol udp;
destination-port snmp;
}
then accept;
}
term ntp {
from {
source-address {
192.9.101.20/32;
127.0.0.1/32;
}
protocol udp;
}
then {
count NTP;
accept;
}
}
term FTP {
from {
source-address {
10.0.0.0/24;
10.0.1.0/24;
10.0.11.0/24;
10.0.12.0/24;
10.0.15.0/24;
192.9.100.0/24;
192.9.101.0/24;
192.9.102.0/24;
inactive: 195.250.196.0/24;
10.0.13.0/24;
192.9.110.33/32;
192.9.110.34/32;
}
protocol tcp;
port [ ftp ftp-data ];
}
then accept;
}
term BGP {
from {
protocol tcp;
destination-port bgp;
}
then accept;
}
term OSPF {
from {
protocol ospf;
}
then accept;
}
term ICMP {
from {
protocol icmp;
}
then accept;
}
term RSVP {
from {
protocol rsvp;
}
then accept;
}
term Established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
term Discard_plus_Log {
then {
count Discard;
syslog;
discard;
}
}
}
}
}
interfaces {
replace:
lo0 {
unit 0 {
family inet {
filter {
input protect;
}
address X.X.X.X/32;
}
}
}
}
Regards,
Bostjan
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Valery Yastrebov
Sent: Monday, May 16, 2005 1:05 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] access-class ?
Hello! How can I configure permition only to defined users to telnet m7i?
I mean what is the equivalent to command "access-class" on line vty 0 4 (on
cisco) ? ??
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list