[j-nsp] juniper-nsp Digest, Vol 55, Issue 33

Kanagaraj Krishna kanagaraj at aims.com.my
Thu Jun 28 06:45:37 EDT 2007


Hi,
    Aren't the incoming filters used to filter access to certain services/port into the router? I'm curious on how an external response (from a telnet request) could be affected unless it tries to respond to port 80 of the initiator which in normal circumstances is not likely. Any comments?

/Kana
  ----- Original Message ----- 
  From: David Ball 
  To: Kanagaraj Krishna 
  Cc: juniper-nsp at puck.nether.net 
  Sent: Thursday, June 28, 2007 3:42 AM
  Subject: Re: [j-nsp] juniper-nsp Digest, Vol 55, Issue 33


     It very likely IS allowing OUTgoing telnet, even without the
  adjustment in your filter.  The problem is, it's not allowing the
  response from the (assumed) web server in the INbound direction, hence
  your need for the allowance in your input filter.

  David


  On 6/27/07, Kanagaraj Krishna <kanagaraj at aims.com.my> wrote:
  > Hi,
  >    I've applied an input filter (hardening) to protect the routing engine of
  > an m7i by applying it on the loopback IP. Refer to the config below. The
  > issue
  > is that, we can't telnet port:80 to any external IP from the box itself.
  > Obviously I've not allowed access to port 80 on my box in the input filter
  > but
  > why would it affect the outgoing telnet. I tried allowing port 80 access on
  > the input filter and after that the outgoing telnet works. Anyone facing the
  > same issue?
  >
  > Regards,
  > Kana
  >
  >
  > lo0 {
  >         unit 0 {
  >             family inet {
  >                 filter {
  >                     input protect-RE;
  >                 }
  >                 address xxx.xxx.xxx.xxx/32;
  >             }
  >         }
  >     }
  >
  > firewall {
  >      filter protect-RE {
  > ---config omitted----
  >
  >          term telnet {
  >             from {
  >                 protocol tcp;
  >                 port telnet;
  >             }
  >             then {
  >                 policer telnet-policer;
  >                 accept;
  >             }
  >          }
  >
  > ---config omitted----
  > _______________________________________________
  > juniper-nsp mailing list juniper-nsp at puck.nether.net
  > https://puck.nether.net/mailman/listinfo/juniper-nsp
  >


More information about the juniper-nsp mailing list