[j-nsp] Filter on lo0, MX80

Per Granath per.granath at gcc.com.cy
Mon Jan 30 03:05:50 EST 2012


> Im trying a basic filer to deny traffic to lo0.
> SSH, OSPF and ICMP is allowed.
> 
> It doesnt work, it allows all traffic.
> 
> Same filter work on a ge-interface.
> 
> ge-1/0/0 {
>      unit 0 {
>          family inet {
>              filter {
>                  input admin-access;
>              }
>              address 10.1.1.1/29;
>          }
>      }
> }
> lo0 {
>      unit 0 {
>          family inet {
>              filter {
>                  input admin-access;
>              }
>              address 10.2.1.1/32;
>          }
>      }
> }
> 
> firewall {
>      family inet {
>          filter admin-access {
>              term ssh-access {
>                  from {
>                      address {
>                          10.1.2.0/24;
>                      }
>                  }
>                  then accept;
>              }

You only need it applied on the lo0 interface.
For ssh, change "address" to "source-address", since just "address" mean either source or destination.
Also, add "protocol ssh" to that from statement.

Cheers.



More information about the juniper-nsp mailing list