[j-nsp] access-class ?
Valery Yastrebov
yastrebov at activetelecom.ru
Mon May 16 07:23:07 EDT 2005
We can telnet not only to fxp0 or lo0? Does it mean that it's necessary
to apply filter to any interfaces ?
-----Original Message-----
From: Erdem Sener [mailto:erdems at gmail.com]
Sent: Monday, May 16, 2005 3:18 PM
To: Valery Yastrebov
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] access-class ?
Hi,
You need to build a firewall filter and apply it to your loopback
interface. When building such filter, you also need to take into
account other permissions that router will require to perform its
normal operation (such as bgp, rsvp, snmp etc.)
A sample config might look like;
[edit firewall family inet Router-Filter]
term accept-admins {
from {
source-address {
172.16.5.5/32;
192.168.0.0/24;
}
}
then accept;
}
term accept-ssh {
from {
source-address {
10.10.10.11/32;
}
protocol tcp;
port 22;
}
then accept;
term accept-telnet {
from {
source-address {
11.11.11.12/32;
}
destination-port telnet;
}
then accept;
term accept-established {
from {
tcp-established;
}
then accept;
}
term accept-dns {
from {
source-port domain;
}
then accept;
}
term accept-ospf {
from {
protocol ospf;
}
then accept;
}
term accept-bgp {
from {
destination-port bgp;
}
then accept;
}
term accept-icmp {
from {
protocol icmp;
}
then accept;
term accept-snmp {
from {
source-address {
10.4.4.4/32;
10.5.5.11/32;
}
destination-port snmp;
}
then accept;
}
term accept-rsvp {
from {
protocol rsvp;
}
then accept;
}
term accept-ldp {
from {
protocol [ tcp udp ];
source-port ldp;
}
then accept;
}
term all-the-rest-to-the-router-itself {
then {
discard;
syslog; ## Just to see what you're discarding.
and then under [edit interfaces lo0]; you should type:
set unit 0 family inet filter input Router-Filter
I would suggest 'commit confirmed x' at such point, to avoid any
connectivity loss to the box.
Cheers,
Erdem
On 5/16/05, Valery Yastrebov <yastrebov at activetelecom.ru> wrote:
> Hello! How can I configure permition only to defined users to telnet
m7i?
>
> I mean what is the equivalent to command "access-class" on line vty 0
4 (on cisco) ? ??
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
-erdem
More information about the juniper-nsp
mailing list