[j-nsp] firewall filter question
Erdem Sener
erdems at gmail.com
Tue Jan 23 09:37:32 EST 2007
Hi,
I would go with a firewall filter that accepts certain types of
traffic with multiple terms, and discards anything else with a last
'then discard' term.
Of course, such filter would require careful planning.
On 1/23/07, Alexander Serkin <als at cell.ru> wrote:
> hi, all.
> Please help me to understand filter configuration.
> I'm building filter rules according to cymru juniper template:
> # [firewall]
> family inet {
> filter router-protect {
> term 1 {
> from {
> source-prefix-list {
> trusted-hosts except;
> }
> protocol tcp;
> destination-port ssh;
> }
> then {
> count manage-discard-tcp;
> discard;
> }
> }
> ...
> term 5 {
> then {
> count manage-accept-other;
> accept;
> }
> }
> }
> }
>
> and set it in interface lo0:
> lo0 {
> unit 0 {
> family inet {
> no-redirects;
> filter {
> input router-protect;
> }
> address a.b.c.d/32;
> }
> }
>
> But the box is still permitting ssh from untrusted hosts:
>
> Jan 23 07:28:44 myhost sshd[18635]: Failed password for afanasy from
> 82.66.192.40 port 39126 ssh2
>
> what i'm doing wrong?
> --
> Sincerely Yours,
> Alexander
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Erdem
More information about the juniper-nsp
mailing list