[j-nsp] juniper-nsp Digest, Vol 55, Issue 33
Kanagaraj Krishna
kanagaraj at aims.com.my
Thu Jun 28 06:45:37 EDT 2007
Hi,
Aren't the incoming filters used to filter access to certain services/port into the router? I'm curious on how an external response (from a telnet request) could be affected unless it tries to respond to port 80 of the initiator which in normal circumstances is not likely. Any comments?
/Kana
----- Original Message -----
From: David Ball
To: Kanagaraj Krishna
Cc: juniper-nsp at puck.nether.net
Sent: Thursday, June 28, 2007 3:42 AM
Subject: Re: [j-nsp] juniper-nsp Digest, Vol 55, Issue 33
It very likely IS allowing OUTgoing telnet, even without the
adjustment in your filter. The problem is, it's not allowing the
response from the (assumed) web server in the INbound direction, hence
your need for the allowance in your input filter.
David
On 6/27/07, Kanagaraj Krishna <kanagaraj at aims.com.my> wrote:
> Hi,
> I've applied an input filter (hardening) to protect the routing engine of
> an m7i by applying it on the loopback IP. Refer to the config below. The
> issue
> is that, we can't telnet port:80 to any external IP from the box itself.
> Obviously I've not allowed access to port 80 on my box in the input filter
> but
> why would it affect the outgoing telnet. I tried allowing port 80 access on
> the input filter and after that the outgoing telnet works. Anyone facing the
> same issue?
>
> Regards,
> Kana
>
>
> lo0 {
> unit 0 {
> family inet {
> filter {
> input protect-RE;
> }
> address xxx.xxx.xxx.xxx/32;
> }
> }
> }
>
> firewall {
> filter protect-RE {
> ---config omitted----
>
> term telnet {
> from {
> protocol tcp;
> port telnet;
> }
> then {
> policer telnet-policer;
> accept;
> }
> }
>
> ---config omitted----
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list