[j-nsp] Filter on lo0, MX80
Jonas Björklund
jonas at bjorklund.cn
Mon Jan 30 12:59:35 EST 2012
On Mon, 30 Jan 2012, Stacy W. Smith wrote:
>
> On Jan 30, 2012, at 1:05 AM, Per Granath wrote:
>
>>> Im trying a basic filer to deny traffic to lo0.
>>> SSH, OSPF and ICMP is allowed.
>>>
>>> It doesnt work, it allows all traffic.
>>>
>>> Same filter work on a ge-interface.
>>>
>>> ge-1/0/0 {
>>> unit 0 {
>>> family inet {
>>> filter {
>>> input admin-access;
>>> }
>>> address 10.1.1.1/29;
>>> }
>>> }
>>> }
>>> lo0 {
>>> unit 0 {
>>> family inet {
>>> filter {
>>> input admin-access;
>>> }
>>> address 10.2.1.1/32;
>>> }
>>> }
>>> }
>>>
>>> firewall {
>>> family inet {
>>> filter admin-access {
>>> term ssh-access {
>>> from {
>>> address {
>>> 10.1.2.0/24;
>>> }
>>> }
>>> then accept;
>>> }
>>
>> You only need it applied on the lo0 interface.
>> For ssh, change "address" to "source-address", since just "address" mean either source or destination.
>> Also, add "protocol ssh" to that from statement.
>
> There's no "protocol ssh". You want "protocol tcp" and "destination-port ssh":
>
> [edit firewall family inet filter admin-access]
> user at host# show
> term ssh-access {
> from {
> source-address {
> 10.1.2.0/24;
> }
> protocol tcp;
> destination-port ssh;
> }
> then accept;
> }
Thanks! source-address solved the problem.
/Jonas
More information about the juniper-nsp
mailing list