[j-nsp] Firewall filter for system service ssh on outside interface?
Daniel M Daloia Jr
daniel.daloia at yahoo.com
Thu Oct 13 09:40:22 EDT 2011
Hi Folks,
Is there any reason why I shouldn't allow ssh access to a remote SRX with a firewall filter only allowing a single network on an untrust (reth) interface? Maybe should create a loopback instead, allow system-services ssh, and apply the filter there? My thought for using a lo interface is why force all traffic through the filter just for a system service?
root at ----LAB-1----# show firewall
filter FF_ALLOW_SSH {
term SSH-ALLOW {
from {
source-address {
1.1.1.0/24;
}
destination-address {
2.2.2.2/32;
}
destination-port ssh;
}
then accept;
}
term SSH-DENY {
from {
destination-address {
2.2.2.2/32;
}
destination-port ssh;
}
then {
reject;
}
}
term ANY-ALLOW {
then {
accept;
}
}
}
root at ----LAB-1----# show interfaces
reth11 {
unit 0 {
family inet {
filter {
input FF_ALLOW_SSH;
}
address 2.2.2.2/24;
}
}
More information about the juniper-nsp
mailing list