[j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)
Aaron
aaron1 at gvtc.com
Fri Apr 1 15:52:36 EDT 2016
Thanks Wayne, I tried it and get this error...
agould at eng-lab-acx5048-1# commit confirmed 1 [edit interfaces lo0 unit 0
family inet]
'filter'
Referenced filter 'local_acl' can not be used as default/physical
interface specific with lo0 not supported on ingress loopback interface
error: configuration check-out failed
{master:0}[edit]
set firewall family inet filter local_acl term terminal_access from address
172.17.143.0/24
set firewall family inet filter local_acl term terminal_access from protocol
tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port
telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from
protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from
port ssh
set firewall family inet filter local_acl term terminal_access_denied from
port telnet
set firewall family inet filter local_acl term terminal_access_denied then
log
set firewall family inet filter local_acl term terminal_access_denied then
reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
I tried this also... same error....
set firewall family inet filter local_acl term terminal_access from address
172.17.143.0/24
set firewall family inet filter local_acl term terminal_access from protocol
tcp
set firewall family inet filter local_acl term terminal_access from
destination-port ssh
set firewall family inet filter local_acl term terminal_access from
destination-port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from
protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from
destination-port ssh
set firewall family inet filter local_acl term terminal_access_denied from
destination-port telnet
set firewall family inet filter local_acl term terminal_access_denied then
log
set firewall family inet filter local_acl term terminal_access_denied then
reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
Wayne Lee via juniper-nsp
Sent: Friday, April 1, 2016 10:48 AM
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, http,
snmp)
>
> I need to only allow 172.17.0.0/16 to be able to remotely access the
> ACX5048
> for snmp, telnet, ssh, http(s) services. How would I do this?
>
Standard Junos firewall filter applied to lo0 should do the trick
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list