[j-nsp] Filter on lo0, MX80
Stacy W. Smith
stacy at acm.org
Mon Jan 30 09:34:05 EST 2012
On Jan 30, 2012, at 1:05 AM, Per Granath wrote:
>> Im trying a basic filer to deny traffic to lo0.
>> SSH, OSPF and ICMP is allowed.
>>
>> It doesnt work, it allows all traffic.
>>
>> Same filter work on a ge-interface.
>>
>> ge-1/0/0 {
>> unit 0 {
>> family inet {
>> filter {
>> input admin-access;
>> }
>> address 10.1.1.1/29;
>> }
>> }
>> }
>> lo0 {
>> unit 0 {
>> family inet {
>> filter {
>> input admin-access;
>> }
>> address 10.2.1.1/32;
>> }
>> }
>> }
>>
>> firewall {
>> family inet {
>> filter admin-access {
>> term ssh-access {
>> from {
>> address {
>> 10.1.2.0/24;
>> }
>> }
>> then accept;
>> }
>
> You only need it applied on the lo0 interface.
> For ssh, change "address" to "source-address", since just "address" mean either source or destination.
> Also, add "protocol ssh" to that from statement.
There's no "protocol ssh". You want "protocol tcp" and "destination-port ssh":
[edit firewall family inet filter admin-access]
user at host# show
term ssh-access {
from {
source-address {
10.1.2.0/24;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
--Stacy
More information about the juniper-nsp
mailing list