[j-nsp] Firewall filter for system service ssh on outside interface?

Robert Juric robert.juric at gmail.com
Thu Oct 13 10:04:09 EDT 2011


If you create a loopback in your trust zone then you will have to create
security policy to allow traffic from untrust to trust for ssh. Or you can
use the external interface and the firewall filter, be sure to remember the
host-inbound-traffic for your untrust zone.

I'm not sure which would really be better. My understanding is that the
sooner you filter the traffic in the processing flow, the more effecient it
is.

Robert Juric

On Thu, Oct 13, 2011 at 8:40 AM, Daniel M Daloia Jr <daniel.daloia at yahoo.com
> wrote:

> Hi Folks,
>
> Is there any reason why I shouldn't allow ssh access to a remote SRX with a
> firewall filter only allowing a single network on an untrust (reth)
> interface? Maybe should create a loopback instead, allow system-services
> ssh,  and apply the filter there? My thought for using a lo interface is why
> force all traffic through the filter just for a system service?
>
> root at ----LAB-1----# show firewall
> filter FF_ALLOW_SSH {
>     term SSH-ALLOW {
>         from {
>             source-address {
>                 1.1.1.0/24;
>             }
>             destination-address {
>                 2.2.2.2/32;
>             }
>             destination-port ssh;
>         }
>         then accept;
>     }
>     term SSH-DENY {
>         from {
>             destination-address {
>                 2.2.2.2/32;
>             }
>             destination-port ssh;
>         }
>         then {
>             reject;
>
>         }
>     }
>     term ANY-ALLOW {
>         then {
>             accept;
>         }
>     }
> }
>
> root at ----LAB-1----# show interfaces
> reth11 {
>     unit 0 {
>         family inet {
>             filter {
>                 input FF_ALLOW_SSH;
>             }
>             address 2.2.2.2/24;
>         }
>     }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list