[j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)
Eduardo Schoedler
listas at esds.com.br
Fri Apr 1 15:59:45 EDT 2016
Aaron,
It's a known issue, has been discussed here.
Look for KB28893.
Regards,
2016-04-01 16:52 GMT-03:00 Aaron <aaron1 at gvtc.com>:
> Thanks Wayne, I tried it and get this error...
>
> agould at eng-lab-acx5048-1# commit confirmed 1 [edit interfaces lo0 unit 0
> family inet]
> 'filter'
> Referenced filter 'local_acl' can not be used as default/physical
> interface specific with lo0 not supported on ingress loopback interface
> error: configuration check-out failed
>
> {master:0}[edit]
>
>
> set firewall family inet filter local_acl term terminal_access from address
> 172.17.143.0/24
>
> set firewall family inet filter local_acl term terminal_access from protocol
> tcp
>
> set firewall family inet filter local_acl term terminal_access from port ssh
>
> set firewall family inet filter local_acl term terminal_access from port
> telnet
>
> set firewall family inet filter local_acl term terminal_access then accept
>
> set firewall family inet filter local_acl term terminal_access_denied from
> protocol tcp
>
> set firewall family inet filter local_acl term terminal_access_denied from
> port ssh
>
> set firewall family inet filter local_acl term terminal_access_denied from
> port telnet
>
> set firewall family inet filter local_acl term terminal_access_denied then
> log
>
> set firewall family inet filter local_acl term terminal_access_denied then
> reject
>
> set firewall family inet filter local_acl term default-term then accept
>
> set interfaces lo0 unit 0 family inet filter input local_acl
>
> set interfaces lo0 unit 0 family inet address 127.0.0.1/32
>
>
>
> I tried this also... same error....
>
>
> set firewall family inet filter local_acl term terminal_access from address
> 172.17.143.0/24
>
> set firewall family inet filter local_acl term terminal_access from protocol
> tcp
>
> set firewall family inet filter local_acl term terminal_access from
> destination-port ssh
>
> set firewall family inet filter local_acl term terminal_access from
> destination-port telnet
>
> set firewall family inet filter local_acl term terminal_access then accept
>
> set firewall family inet filter local_acl term terminal_access_denied from
> protocol tcp
>
> set firewall family inet filter local_acl term terminal_access_denied from
> destination-port ssh
>
> set firewall family inet filter local_acl term terminal_access_denied from
> destination-port telnet
>
> set firewall family inet filter local_acl term terminal_access_denied then
> log
>
> set firewall family inet filter local_acl term terminal_access_denied then
> reject
>
> set firewall family inet filter local_acl term default-term then accept
>
> set interfaces lo0 unit 0 family inet filter input local_acl
>
> set interfaces lo0 unit 0 family inet address 127.0.0.1/32
>
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> Wayne Lee via juniper-nsp
> Sent: Friday, April 1, 2016 10:48 AM
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, http,
> snmp)
>
>>
>> I need to only allow 172.17.0.0/16 to be able to remotely access the
>> ACX5048
>> for snmp, telnet, ssh, http(s) services. How would I do this?
>>
>
> Standard Junos firewall filter applied to lo0 should do the trick
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Eduardo Schoedler
More information about the juniper-nsp
mailing list