[j-nsp] Block externals ip to firewall srx240

Alexander Arseniev arseniev at btinternet.com
Tue Jan 10 16:50:46 EST 2017 

Hello,

Last time I checked, the order of operations on branch SRX is:

1/ input interface filter

2/ self-traffic policy

3/ junos-host zone policy

4/ loopback filter

Hence, the most CPU-effective way is to use interface filter to drop early.
HTH
Thx
Alex

On 10/01/2017 19:18, Karsten Thomann wrote:
> I would use Junos-host if the device needs to be managed from the untrust
> network, I have the impression it shouldn't be possible to manage it at all
> from the untrust zone and then I would disable all management protocols from
> the system-service section within the untrust zone.
>
> Karsten
>
> Am Dienstag, 10. Januar 2017, 10:09:37 schrieb Kevin Shymkiw:
>> My apologies - it is called the junos-host zone at this point:
>>
>> https://kb.juniper.net/InfoCenter/index?page=content&id=KB24227&actp=search
>>
>> Kevin
>>
>> On Tue, Jan 10, 2017 at 10:07 AM, Kevin Shymkiw <kshymkiw at gmail.com> wrote:
>>> David,
>>>
>>> https://www.juniper.net/documentation/en_US/junos12.
>>> 1x44/topics/concept/security-policy-for-self-traffic-understanding.html
>>>
>>> It is called self-traffic-policy.   If your version doesn't support this -
>>> then you would need to do the old school method of using a Firewall Filter
>>> on Lo0
>>>
>>> Kevin
>>>
>>> On Tue, Jan 10, 2017 at 9:45 AM, David Samaniego <david1984ba at gmail.com>
>>>
>>> wrote:
>>>> Hi,
>>>>
>>>> I have a juniper srx240 in firewall mode, I create a Untrust Zone to
>>>> control the traffic access from Internet to my LAN. All work fine, but I
>>>> need to block all the connections to my device for example block the ssh
>>>> or
>>>> https. The idea is deny all attempts to manage my device througth
>>>> internet.
>>>>
>>>> I tried to create a policy to deny all the inbound traffic to my ip
>>>> interfaz(Untrust zone), but don't work and keep allow the access.
>>>>
>>>> Any idea to implement my idea.
>>>>
>>>> Thanks.
>>>>
>>>> Sebasti�n
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list