[j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

Daniel Rohan drohan at gmail.com
Wed Apr 27 13:54:08 EDT 2016


BTW, this appears to now be fixed in 12.3X54-D25.7.

ne at ACX1000-lab# load set terminal

[Type ^D at a new line to end input]

set firewall family inet filter local_acl term terminal_access from address
172.17.143.0/24

set firewall family inet filter local_acl term terminal_access from
protocol tcp

set firewall family inet filter local_acl term terminal_access from port ssh

set firewall family inet filter local_acl term terminal_access from port
telnet

set firewall family inet filter local_acl term terminal_access then accept

set firewall family inet filter local_acl term terminal_access_denied from
protocol tcp

set firewall family inet filter local_acl term terminal_access_denied from
port ssh

set firewall family inet filter local_acl term terminal_access_denied from
port telnet

set firewall family inet filter local_acl term terminal_access_denied then
log

set firewall family inet filter local_acl term terminal_access_denied then
reject

set firewall family inet filter local_acl term default-term then accept

set interfaces lo0 unit 0 family inet filter input local_acl


load complete


[edit]

ne at ACX1000-lab# commit check

configuration check succeeds


[edit]

ne at ACX1000-lab# run show version

Hostname: ACX1000-lab

Model: acx1100

JUNOS Crypto Software Suite [12.3X54-D25.7]

JUNOS Base OS Software Suite [12.3X54-D25.7]

JUNOS Kernel Software Suite [12.3X54-D25.7]

JUNOS Base OS boot [12.3X54-D25.7]

JUNOS Packet Forwarding Engine Support (ACX) [12.3X54-D25.7]

JUNOS Online Documentation [12.3X54-D25.7]

JUNOS Routing Software Suite [12.3X54-D25.7]


[edit]

ne at ACX1000-lab#

On Sat, Apr 2, 2016 at 2:59 AM, Mark Tinka <mark.tinka at seacom.mu> wrote:

>
>
> On 2/Apr/16 11:04, Saku Ytti wrote:
>
> >
> > I've always wondered why is this a hard problem, especially in low
> > end? Naively I'd think that from your ASIC waste one revenue port as
> > host-bound facing and implement normal port ACLs there.
>
> It is exactly for that reason. Vendors will assume all low-end
> requirements place more emphasis on cost than security (however basic)
> or generally well-practiced network operational requirements.
>
> They'll further justify it by saying, "If you want all the bells &
> whistles, we have box for that".
>
> Mark.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list