[j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

Aaron aaron1 at gvtc.com
Fri Apr 1 16:37:23 EDT 2016


Right, http://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=RSS

I tried that too... perhaps I missed something, but my forwarding plane filter didn't seem to work either.  I'll have to give that another look.

I'm annoyed that cisco deals with this on pretty much every device using VTY interface access-classes or acl's attached to snmp process, etc... I'll get over it, just wanted to vent  :|

I really wish I could find an elegant/simple way to protect system processes (snmp, http, ssh, etc)

Thanks y'all
Aaron



-----Original Message-----
From: Eduardo Schoedler [mailto:listas at esds.com.br] 
Sent: Friday, April 1, 2016 3:00 PM
To: Aaron <aaron1 at gvtc.com>
Cc: Wayne Lee <linkconnect at googlemail.com>; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

Aaron,

It's a known issue, has been discussed here.
Look for KB28893.

Regards,

2016-04-01 16:52 GMT-03:00 Aaron <aaron1 at gvtc.com>:
> Thanks Wayne, I tried it and get this error...
>
> agould at eng-lab-acx5048-1# commit confirmed 1 [edit interfaces lo0 unit 
> 0 family inet]
>   'filter'
>     Referenced filter 'local_acl' can not be used as default/physical 
> interface specific with lo0 not supported on ingress loopback 
> interface
> error: configuration check-out failed
>
> {master:0}[edit]
>
>
> set firewall family inet filter local_acl term terminal_access from 
> address
> 172.17.143.0/24
>
> set firewall family inet filter local_acl term terminal_access from 
> protocol tcp
>
> set firewall family inet filter local_acl term terminal_access from 
> port ssh
>
> set firewall family inet filter local_acl term terminal_access from 
> port telnet
>
> set firewall family inet filter local_acl term terminal_access then 
> accept
>
> set firewall family inet filter local_acl term terminal_access_denied 
> from protocol tcp
>
> set firewall family inet filter local_acl term terminal_access_denied 
> from port ssh
>
> set firewall family inet filter local_acl term terminal_access_denied 
> from port telnet
>
> set firewall family inet filter local_acl term terminal_access_denied 
> then log
>
> set firewall family inet filter local_acl term terminal_access_denied 
> then reject
>
> set firewall family inet filter local_acl term default-term then 
> accept
>
> set interfaces lo0 unit 0 family inet filter input local_acl
>
> set interfaces lo0 unit 0 family inet address 127.0.0.1/32
>
>
>
> I tried this also... same error....
>
>
> set firewall family inet filter local_acl term terminal_access from 
> address
> 172.17.143.0/24
>
> set firewall family inet filter local_acl term terminal_access from 
> protocol tcp
>
> set firewall family inet filter local_acl term terminal_access from 
> destination-port ssh
>
> set firewall family inet filter local_acl term terminal_access from 
> destination-port telnet
>
> set firewall family inet filter local_acl term terminal_access then 
> accept
>
> set firewall family inet filter local_acl term terminal_access_denied 
> from protocol tcp
>
> set firewall family inet filter local_acl term terminal_access_denied 
> from destination-port ssh
>
> set firewall family inet filter local_acl term terminal_access_denied 
> from destination-port telnet
>
> set firewall family inet filter local_acl term terminal_access_denied 
> then log
>
> set firewall family inet filter local_acl term terminal_access_denied 
> then reject
>
> set firewall family inet filter local_acl term default-term then 
> accept
>
> set interfaces lo0 unit 0 family inet filter input local_acl
>
> set interfaces lo0 unit 0 family inet address 127.0.0.1/32
>
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On 
> Behalf Of Wayne Lee via juniper-nsp
> Sent: Friday, April 1, 2016 10:48 AM
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] ACX5048 - protect remote access (telnet, ssh, 
> http,
> snmp)
>
>>
>> I need to only allow 172.17.0.0/16 to be able to remotely access the
>> ACX5048
>> for snmp, telnet, ssh, http(s) services.  How would I do this?
>>
>
> Standard Junos firewall filter applied to lo0 should do the trick 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp



--
Eduardo Schoedler



More information about the juniper-nsp mailing list