[j-nsp] Stupid ACL Q & JUNOS 8.0 Q

Erdem Sener erdems at gmail.com
Mon Sep 4 17:04:31 EDT 2006


Hello,

 Please see in-line:



On 9/4/06, Jason J. W. Williams <jasonjwwilliams at gmail.com> wrote:
> Hi,
>
> I've been searching for an answer to this and I'm a bit befuddled. At
> the moment I'm trying to configure an ACL to prevent SSH attempts from
> outside. It appears I need to do so by configuring a filter under the
> "firewall" configuration area and then apply it to the "input" or
> "output" on "unit 0 family inet" for the interface connected to the
> outside.

If you want to prevent these attempts to the router, you could simply
define a filter under [edit firewall family inet] section and apply as
an input filter to your loopback interface.

Filters applied on the input of the loopback are effective box-wise,
regardless of the interface they're coming from.

You should be very careful doing this though, since you'll probably
want to allow other stuff (like network operators for ssh access for
example) and will definetely want to allow protocol-based traffic such
as ospf/bgp/ldp/rsvp etc.

My question is am I correct, or do I have to have the
> stateful firewall license key since the filter is defined under
> "firewall"? Thanks in advance for the newbie Q.

You don't need any licence for a standard firewall filter.

Here's a brief firewall filter example, covering the basics and might
give you an idea of starting:

HTH

family inet {
        filter Filter-For-The-Box-Itself {
            term Management-Any {
                from {
                    source-address {
                        192.168.0.0/24;
                    }
                }
                then accept;
            }
            term Management-TelnetOnly {
                from {
                    source-address {
                        172.16.5.0/28;
                    }
                    destination-port telnet;
                }
                then accept;
            }
            term Management-SshOnly {
                from {
                    source-address {
                        192.168.4.2/32;
                        192.168.4.3/32;
                    }
                    protocol tcp;
                    port ssh;
                }
                then accept;
            }
            term Established-Connections {
                from {
                    tcp-established;
                }
                then accept;
            }
            term Dns-Queries {
                from {
                    source-port domain;
                }
                then accept;
            }
            term Protocol-Ospf {
                from {
                    protocol ospf;
                }
                then accept;
            }
            term Protocol-Bgp {
                from {
                    destination-port bgp;
                }
                then accept;
            }
            term Protocol-ICMP {
                from {
                    protocol icmp;
                }
                then accept;
            }
            term Management-Snmp {
                from {
                    source-address {
                        192.168.6.1/32;
                        192.168.6.10/32;
                        192.168.6.21/32;
                    }
                    destination-port snmp;
                }
                then accept;
            }
            term Protocol-Rsvp {
                from {
                    protocol rsvp;
                }
                then accept;
            }
            term Protocol-Ldp {
                from {
                    protocol [ tcp udp ];
                    port ldp;
                }
                then accept;
            }
            term Ntp-Queries {
                from {
                    destination-port ntp;
                }
                then accept;
            }
            term All-The-Rest {
                then {
                    discard;
                }
            }
        }


More information about the juniper-nsp mailing list