[j-nsp] firewall filter question

EVAN WILLIAMS evangellick at btinternet.com
Tue Jan 23 11:15:49 EST 2007


agreed structure the firewall filter protect to ensure that all unwanted connection from unless permitted in the routing-options prefix lists or terms in the firewall family inet, all connection attempts are  discarded unless explicitly permitted.
  term default-action {
  then {
  syslog;
  discard;
  }
  }
  NET1020
  Requirement: The router administrator will ensure that all attempts to any port, protocol, or
  service that is denied are logged.
  from http://iase.disa.mil/stigs/checklist/juniper-router-checklist-procedure-guide-for-network-check.pdf
   
  Evangellick

Erdem Sener <erdems at gmail.com> wrote:
  Hi,

I would go with a firewall filter that accepts certain types of
traffic with multiple terms, and discards anything else with a last
'then discard' term.

Of course, such filter would require careful planning.


On 1/23/07, Alexander Serkin wrote:
> hi, all.
> Please help me to understand filter configuration.
> I'm building filter rules according to cymru juniper template:
> # [firewall]
> family inet {
> filter router-protect {
> term 1 {
> from {
> source-prefix-list {
> trusted-hosts except;
> }
> protocol tcp;
> destination-port ssh;
> }
> then {
> count manage-discard-tcp;
> discard;
> }
> }
> ...
> term 5 {
> then {
> count manage-accept-other;
> accept;
> }
> }
> }
> }
>
> and set it in interface lo0:
> lo0 {
> unit 0 {
> family inet {
> no-redirects;
> filter {
> input router-protect;
> }
> address a.b.c.d/32;
> }
> }
>
> But the box is still permitting ssh from untrusted hosts:
>
> Jan 23 07:28:44 myhost sshd[18635]: Failed password for afanasy from
> 82.66.192.40 port 39126 ssh2
>
> what i'm doing wrong?
> --
> Sincerely Yours,
> Alexander
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 
Erdem
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list