[j-nsp] Filter on lo0, MX80
Per Granath
per.granath at gcc.com.cy
Mon Jan 30 03:05:50 EST 2012
> Im trying a basic filer to deny traffic to lo0.
> SSH, OSPF and ICMP is allowed.
>
> It doesnt work, it allows all traffic.
>
> Same filter work on a ge-interface.
>
> ge-1/0/0 {
> unit 0 {
> family inet {
> filter {
> input admin-access;
> }
> address 10.1.1.1/29;
> }
> }
> }
> lo0 {
> unit 0 {
> family inet {
> filter {
> input admin-access;
> }
> address 10.2.1.1/32;
> }
> }
> }
>
> firewall {
> family inet {
> filter admin-access {
> term ssh-access {
> from {
> address {
> 10.1.2.0/24;
> }
> }
> then accept;
> }
You only need it applied on the lo0 interface.
For ssh, change "address" to "source-address", since just "address" mean either source or destination.
Also, add "protocol ssh" to that from statement.
Cheers.
More information about the juniper-nsp
mailing list