[j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)
Daniel Rohan
drohan at gmail.com
Wed Apr 27 13:54:08 EDT 2016
BTW, this appears to now be fixed in 12.3X54-D25.7.
ne at ACX1000-lab# load set terminal
[Type ^D at a new line to end input]
set firewall family inet filter local_acl term terminal_access from address
172.17.143.0/24
set firewall family inet filter local_acl term terminal_access from
protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port
telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from
protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from
port ssh
set firewall family inet filter local_acl term terminal_access_denied from
port telnet
set firewall family inet filter local_acl term terminal_access_denied then
log
set firewall family inet filter local_acl term terminal_access_denied then
reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
load complete
[edit]
ne at ACX1000-lab# commit check
configuration check succeeds
[edit]
ne at ACX1000-lab# run show version
Hostname: ACX1000-lab
Model: acx1100
JUNOS Crypto Software Suite [12.3X54-D25.7]
JUNOS Base OS Software Suite [12.3X54-D25.7]
JUNOS Kernel Software Suite [12.3X54-D25.7]
JUNOS Base OS boot [12.3X54-D25.7]
JUNOS Packet Forwarding Engine Support (ACX) [12.3X54-D25.7]
JUNOS Online Documentation [12.3X54-D25.7]
JUNOS Routing Software Suite [12.3X54-D25.7]
[edit]
ne at ACX1000-lab#
On Sat, Apr 2, 2016 at 2:59 AM, Mark Tinka <mark.tinka at seacom.mu> wrote:
>
>
> On 2/Apr/16 11:04, Saku Ytti wrote:
>
> >
> > I've always wondered why is this a hard problem, especially in low
> > end? Naively I'd think that from your ASIC waste one revenue port as
> > host-bound facing and implement normal port ACLs there.
>
> It is exactly for that reason. Vendors will assume all low-end
> requirements place more emphasis on cost than security (however basic)
> or generally well-practiced network operational requirements.
>
> They'll further justify it by saying, "If you want all the bells &
> whistles, we have box for that".
>
> Mark.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list