[j-nsp] SSH Filter

Stefan Fouant sfouant at gmail.com
Fri May 22 10:57:42 EDT 2009


That filter would certainly do what you want but I would strongly
advise against using an accept-all term as your last term. If you
truly want to take a hardened control plane security posture, why not
allow that which is specifically required and drop the rest? Team
Cymru has some good control plane filter templates available on their
website.

Regards,



On 5/22/09, Brendan Mannella <bmannella at teraswitch.com> wrote:
>
>
> All, i know this has been covered a million times, but i just wanted to
> check with the list to see if this is the best/recommended way to restrict
> ssh access to a EX switch. I did google this, but noticed people doing it
> different ways.
>
>
>
>
>
> set firewall family inet filter RE_FILTER term SSH from source-address
> 10.0.0.1/32
>
> set firewall family inet filter RE_FILTER term SSH from source-address
> 10.0.0.2/32
>
> set firewall family inet filter RE_FILTER term SSH from protocol tcp
>
> set firewall family inet filter RE_FILTER term SSH from destination-port 22
>
> set firewall family inet filter RE_FILTER term SSH then accept
>
> set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp
>
> set firewall family inet filter RE_FILTER term SSH_BLOCK from
> destination-port 22
>
> set firewall family inet filter RE_FILTER term SSH_BLOCK then discard
>
> set firewall family inet filter RE_FILTER term everything-else then accept
>
> set interfaces lo0 unit 0 family inet filter input RE_FILTER
>
>
>
>
>
> Please Advise.
>
>
>
> Thanks,
>
>
>
> Brendan Mannella
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

-- 
Sent from Gmail for mobile | mobile.google.com

Stefan Fouant

Stay the patient course.
Of little worth is your ire.
The network is down.


More information about the juniper-nsp mailing list