[j-nsp] allow-configuration/permission + insert
Otto Kreiter
otto.kreiter at dante.org.uk
Thu Aug 14 09:18:11 EDT 2008
Thanks Alain.
This work-around obviously works but unfortunately in my case it is not
possible to use it as no human will/should be involved!
Cheers,
Otto
alain.briant at bt.com wrote:
> Hi Otto
>
> I have made some tests with you simple login config and I can find a simple workaround
> I think that's not what you wer looking for but it's works
>
> Just be in the right place:
> "edit firewall family inet filter access_in"
> Copy the complete filter in a notepad
> Insert the new term where you want
> Delete the complete filter:
> "Delete"
> Place the router in a loading mode:
> "load merge terminal relative"
> Paste the new filter
> Then commit
>
>
> That's done
> Hope this helps
> Regards
> Alain
>
>
>
>
>
> Here are some traces:
>
>
>
> lab at toto> show configuration system login
> class test {
> permissions configure;
> allow-configuration "firewall family inet filter access_in";
> }
> user test {
> uid 2009;
> class test;
> authentication {
> encrypted-password "$1$A85U2lXA$yv9xBZSmwvN6E3XxiMkXm1"; ## SECRET-DATA
> }
> }
>
> test at toto# edit firewall family inet filter access_in
>
> [edit firewall family inet filter access_in]
> test at toto# show
> term 1 {
> from {
> source-address {
> 192.168.63.63/32;
> }
> }
> then count In;
> }
>
> [edit firewall family inet filter access_in]
> test at toto# delete
> Delete everything under this level? [yes,no] (no) yes
>
>
> [edit firewall family inet filter access_in]
> test at toto# load merge terminal relative
> [Type ^D at a new line to end input]
>
> term 2 {
> from {
> source-address {
> 192.168.63.64/32;
> }
> }
> then count InBis;
> }
>
> term 1 {
> from {
> source-address {
> 192.168.63.63/32;
> }
> }
> then count In;
> }
> load complete
>
> [edit firewall family inet filter access_in]
> test at toto# show
> term 2 {
> from {
> source-address {
> 192.168.63.64/32;
> }
> }
> then count InBis;
> }
> term 1 {
> from {
> source-address {
> 192.168.63.63/32;
> }
> }
> then count In;
> }
>
> [edit firewall family inet filter access_in]
> test at toto# commit
> commit complete
>
>
>
> -----Message d'origine-----
> De : juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] De la part de Otto Kreiter
> Envoyé : jeudi 14 août 2008 13:49
> À : juniper-nsp at puck.nether.net
> Objet : [j-nsp] allow-configuration/permission + insert
>
> Hi,
>
> I'm trying to create a user with limited rights to access a single firewall filter in the firewall configuration. I have (partially) managed to find the most convenient way of doing it by committing the following configuration:
>
> class test {
> permissions configure;
> allow-configuration "firewall family inet filter access_in"; } user test {
> uid 2002;
> class test;
> authentication {
> encrypted-password "xxx";
> }
> }
>
> This nicely allows test user to configure the access_in filter and to
> *create* new terms. However here comes the problem. When a new term is created this is placed automatically at the end of the filter (fair enough - is there is any way to specify his place?). But then when the user tries to insert it in the right place:
>
> test at router# insert term Test-1 before ?
> No valid completions
>
> Yes there are many other terms, even created by the same user in the same session. I've tried countless allow-configurations and permission configuration options and variations but I'm missing something and can't get to the bottom of the problem.
>
> I would be grateful if somebody can point me in the right direction!
>
> Thank you and regards,
> Otto
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Otto Kreiter
Service Introduction Manager
DANTE Ltd.
Phone: +44 (0)1223 371300
More information about the juniper-nsp
mailing list