[j-nsp] access-class ?

Valery Yastrebov yastrebov at activetelecom.ru
Mon May 16 08:21:41 EDT 2005


You've permitted only specific type of traffic: telnet, ssh, snmp, ntp
etc
And 
" If you apply the filter to the loopback interface, it is valid for all
connections directly to any of the router's interface, you don't need
to configure every possible access point."

If so - all other type of traffic passing through any physical interface
(except defined in the filter's rule) will be discarded ????




You can configure filter on loopback interface. In filter specify term
for
telnet/ssh to accept, in second term discard all other telnet/ssh
traffic,
last term accept all other traffic. Last term is important because of
routing updates (BGP, LDP, ..) and you probably do not want to filter
out
those.

Here is a sample config which is probably an overkill:
firewall {
    family inet {
        filter protect {
            term Telnet {
                from {
                    source-address {
                        10.0.0.0/24;
                        10.0.1.0/24;
                        10.0.11.0/24;
                        10.0.12.0/24;
                        10.0.15.0/24;
                        192.9.100.0/24;
                        192.9.101.0/24;
                        192.9.102.0/24;
                        10.0.13.0/24;
                        192.9.110.0/24;
                    }
                    protocol tcp;
                    destination-port telnet;
                }
                then accept;
            }
            term SSH {
                from {
                    source-address {
                        10.0.0.0/24;
                        10.0.1.0/24;
                        10.0.11.0/24;
                        10.0.12.0/24;
                        10.0.15.0/24;
                        192.9.100.0/24;
                        192.9.101.0/24;
                        192.9.102.0/24;
                        195.250.196.0/24;
                        10.0.13.0/24;
                        192.9.110.34/32;
                        192.9.110.33/32;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then accept;
            }
            term SNMP {
                from {
                    source-address {
                        192.9.100.0/24;
                        192.9.101.0/24;
                        192.9.102.0/24;
                        192.9.110.33/32;
                        192.9.110.34/32;
                    }
                    protocol udp;
                    destination-port snmp;
                }
                then accept;
            }
            term ntp {
                from {
                    source-address {
                        192.9.101.20/32;
                        127.0.0.1/32;
                    }
                    protocol udp;
                }
                then {
                    count NTP;
                    accept;
                }
            }
            term FTP {
                from {
                    source-address {
                        10.0.0.0/24;
                        10.0.1.0/24;
                        10.0.11.0/24;
                        10.0.12.0/24;
                        10.0.15.0/24;
                        192.9.100.0/24;
                        192.9.101.0/24;
                        192.9.102.0/24;
                        inactive: 195.250.196.0/24;
                        10.0.13.0/24;
                        192.9.110.33/32;
                        192.9.110.34/32;
                    }
                    protocol tcp;
                    port [ ftp ftp-data ];
                }
                then accept;
            }
            term BGP {
                from {
                    protocol tcp;
                    destination-port bgp;
                }
                then accept;
            }
            term OSPF {
                from {
                    protocol ospf;
                }
                then accept;
            }
            term ICMP {
                from {
                    protocol icmp;
                }
                then accept;
            }
            term RSVP {
                from {
                    protocol rsvp;
                }
                then accept;
            }
            term Established {
                from {
                    protocol tcp;
                    tcp-established;
                }
                then accept;
            }
            term Discard_plus_Log {
                then {
                    count Discard;
                    syslog;
                    discard;
                }
            }
        }
    }
}

interfaces {
replace:
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect;
                }
                address X.X.X.X/32;
            }
        }
    }
}

Regards,
Bostjan



More information about the juniper-nsp mailing list