[j-nsp] access-class ?
Valery Yastrebov
yastrebov at activetelecom.ru
Mon May 16 08:35:44 EDT 2005
Thank You!
-----Original Message-----
From: Erdem Sener [mailto:erdems at gmail.com]
Sent: Monday, May 16, 2005 4:35 PM
To: Valery Yastrebov
Cc: Belgian Network Solutions - Geert Hauwaerts;
juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] access-class ?
Hi,
The filter applied to the loopback interface is valid for traffic
going "to" the router, not "through" the router, so no "passing
traffic" is discarded.
Cheers,
Erdem
On 5/16/05, Valery Yastrebov <yastrebov at activetelecom.ru> wrote:
> You've permitted only specific type of traffic: telnet, ssh, snmp, ntp
> etc
> And
> " If you apply the filter to the loopback interface, it is valid for
all
> connections directly to any of the router's interface, you don't need
> to configure every possible access point."
>
> If so - all other type of traffic passing through any physical
interface
> (except defined in the filter's rule) will be discarded ????
>
>
> You can configure filter on loopback interface. In filter specify term
> for
> telnet/ssh to accept, in second term discard all other telnet/ssh
> traffic,
> last term accept all other traffic. Last term is important because of
> routing updates (BGP, LDP, ..) and you probably do not want to filter
> out
> those.
>
> Here is a sample config which is probably an overkill:
> firewall {
> family inet {
> filter protect {
> term Telnet {
> from {
> source-address {
> 10.0.0.0/24;
> 10.0.1.0/24;
> 10.0.11.0/24;
> 10.0.12.0/24;
> 10.0.15.0/24;
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> 10.0.13.0/24;
> 192.9.110.0/24;
> }
> protocol tcp;
> destination-port telnet;
> }
> then accept;
> }
> term SSH {
> from {
> source-address {
> 10.0.0.0/24;
> 10.0.1.0/24;
> 10.0.11.0/24;
> 10.0.12.0/24;
> 10.0.15.0/24;
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> 195.250.196.0/24;
> 10.0.13.0/24;
> 192.9.110.34/32;
> 192.9.110.33/32;
> }
> protocol tcp;
> destination-port ssh;
> }
> then accept;
> }
> term SNMP {
> from {
> source-address {
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> 192.9.110.33/32;
> 192.9.110.34/32;
> }
> protocol udp;
> destination-port snmp;
> }
> then accept;
> }
> term ntp {
> from {
> source-address {
> 192.9.101.20/32;
> 127.0.0.1/32;
> }
> protocol udp;
> }
> then {
> count NTP;
> accept;
> }
> }
> term FTP {
> from {
> source-address {
> 10.0.0.0/24;
> 10.0.1.0/24;
> 10.0.11.0/24;
> 10.0.12.0/24;
> 10.0.15.0/24;
> 192.9.100.0/24;
> 192.9.101.0/24;
> 192.9.102.0/24;
> inactive: 195.250.196.0/24;
> 10.0.13.0/24;
> 192.9.110.33/32;
> 192.9.110.34/32;
> }
> protocol tcp;
> port [ ftp ftp-data ];
> }
> then accept;
> }
> term BGP {
> from {
> protocol tcp;
> destination-port bgp;
> }
> then accept;
> }
> term OSPF {
> from {
> protocol ospf;
> }
> then accept;
> }
> term ICMP {
> from {
> protocol icmp;
> }
> then accept;
> }
> term RSVP {
> from {
> protocol rsvp;
> }
> then accept;
> }
> term Established {
> from {
> protocol tcp;
> tcp-established;
> }
> then accept;
> }
> term Discard_plus_Log {
> then {
> count Discard;
> syslog;
> discard;
> }
> }
> }
> }
> }
>
> interfaces {
> replace:
> lo0 {
> unit 0 {
> family inet {
> filter {
> input protect;
> }
> address X.X.X.X/32;
> }
> }
> }
> }
>
> Regards,
> Bostjan
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
-erdem
More information about the juniper-nsp
mailing list