[j-nsp] firewall filter question
Jonathan Looney
jonlooney at gmail.com
Tue Jan 23 09:22:45 EST 2007
There is an implicit "0.0.0.0/0 except" in every address match. Therefore,
in order to match all addresses except those in the trusted-hosts
prefix-list, you need the following configuration:
from {
source-prefix-list {
trusted-hosts except;
}
source-address {
0.0.0.0/0;
}
[...]
}
-Jon
On 1/23/07, Alexander Serkin <als at cell.ru> wrote:
>
> hi, all.
> Please help me to understand filter configuration.
> I'm building filter rules according to cymru juniper template:
> # [firewall]
> family inet {
> filter router-protect {
> term 1 {
> from {
> source-prefix-list {
> trusted-hosts except;
> }
> protocol tcp;
> destination-port ssh;
> }
> then {
> count manage-discard-tcp;
> discard;
> }
> }
> ...
> term 5 {
> then {
> count manage-accept-other;
> accept;
> }
> }
> }
> }
>
> and set it in interface lo0:
> lo0 {
> unit 0 {
> family inet {
> no-redirects;
> filter {
> input router-protect;
> }
> address a.b.c.d/32;
> }
> }
>
> But the box is still permitting ssh from untrusted hosts:
>
> Jan 23 07:28:44 myhost sshd[18635]: Failed password for afanasy from
> 82.66.192.40 port 39126 ssh2
>
> what i'm doing wrong?
> --
> Sincerely Yours,
> Alexander
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list