[j-nsp] access-class ?
Erdem Sener
erdems at gmail.com
Mon May 16 08:35:08 EDT 2005
Hi,
The filter applied to the loopback interface is valid for traffic
going "to" the router, not "through" the router, so no "passing
traffic" is discarded.
Cheers,
Erdem
On 5/16/05, Valery Yastrebov <yastrebov at activetelecom.ru> wrote:
> You've permitted only specific type of traffic: telnet, ssh, snmp, ntp
> etc
> And
> " If you apply the filter to the loopback interface, it is valid for all
> connections directly to any of the router's interface, you don't need
> to configure every possible access point."
>
> If so - all other type of traffic passing through any physical interface
> (except defined in the filter's rule) will be discarded ????
>
>
> You can configure filter on loopback interface. In filter specify term
> for
> telnet/ssh to accept, in second term discard all other telnet/ssh
> traffic,
> last term accept all other traffic. Last term is important because of
> routing updates (BGP, LDP, ..) and you probably do not want to filter
> out
> those.
>
> Here is a sample config which is probably an overkill:
> firewall {
> family inet {
> filter protect {
> term Telnet {
> from {
> source-address {
> 10.0.0.0/24;
> 10.0.1.0/24;
> 10.0.11.0/24;
> 10.0.12.0/24;
> 10.0.15.0/24;
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> 10.0.13.0/24;
> 192.9.110.0/24;
> }
> protocol tcp;
> destination-port telnet;
> }
> then accept;
> }
> term SSH {
> from {
> source-address {
> 10.0.0.0/24;
> 10.0.1.0/24;
> 10.0.11.0/24;
> 10.0.12.0/24;
> 10.0.15.0/24;
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> 195.250.196.0/24;
> 10.0.13.0/24;
> 192.9.110.34/32;
> 192.9.110.33/32;
> }
> protocol tcp;
> destination-port ssh;
> }
> then accept;
> }
> term SNMP {
> from {
> source-address {
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> 192.9.110.33/32;
> 192.9.110.34/32;
> }
> protocol udp;
> destination-port snmp;
> }
> then accept;
> }
> term ntp {
> from {
> source-address {
> 192.9.101.20/32;
> 127.0.0.1/32;
> }
> protocol udp;
> }
> then {
> count NTP;
> accept;
> }
> }
> term FTP {
> from {
> source-address {
> 10.0.0.0/24;
> 10.0.1.0/24;
> 10.0.11.0/24;
> 10.0.12.0/24;
> 10.0.15.0/24;
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> inactive: 195.250.196.0/24;
> 10.0.13.0/24;
> 192.9.110.33/32;
> 192.9.110.34/32;
> }
> protocol tcp;
> port [ ftp ftp-data ];
> }
> then accept;
> }
> term BGP {
> from {
> protocol tcp;
> destination-port bgp;
> }
> then accept;
> }
> term OSPF {
> from {
> protocol ospf;
> }
> then accept;
> }
> term ICMP {
> from {
> protocol icmp;
> }
> then accept;
> }
> term RSVP {
> from {
> protocol rsvp;
> }
> then accept;
> }
> term Established {
> from {
> protocol tcp;
> tcp-established;
> }
> then accept;
> }
> term Discard_plus_Log {
> then {
> count Discard;
> syslog;
> discard;
> }
> }
> }
> }
> }
>
> interfaces {
> replace:
> lo0 {
> unit 0 {
> family inet {
> filter {
> input protect;
> }
> address X.X.X.X/32;
> }
> }
> }
> }
>
> Regards,
> Bostjan
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
-erdem
More information about the juniper-nsp
mailing list