[j-nsp] ACX control plane filter

Aaron Gould aaron1 at gvtc.com
Mon Mar 20 23:45:55 EDT 2017


Here's how I block telnet and ssh.... I have to add a firewall
destination-address entry for each local route that I do not want accessible
for telnet and ssh...and then apply it to the forwarding plane of the
routing-instance that these addresses belong to.


set firewall family inet filter protect-5048 term 1 from destination-address
172.16.220.1/32

set firewall family inet filter protect-5048 term 1 from destination-address
172.16.224.1/32

set firewall family inet filter protect-5048 term 1 from destination-address
1.2.177.129/32

set firewall family inet filter protect-5048 term 1 from destination-address
1.2.224.129/32

set firewall family inet filter protect-5048 term 1 from destination-address
38.128.139.193/32

set firewall family inet filter protect-5048 term 1 from protocol tcp

set firewall family inet filter protect-5048 term 1 from destination-port
telnet

set firewall family inet filter protect-5048 term 1 from destination-port
ssh

set firewall family inet filter protect-5048 term 1 then count
protect-5048-counter

set firewall family inet filter protect-5048 term 1 then discard

set firewall family inet filter protect-5048 term 2 then accept

set routing-instances one forwarding-options family inet filter input
protect-5048

Model: acx5048

Junos: 15.1X54-D20.7



https://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=RSS

...says it was fixed to work on loopback in 12.3X54-D25.7...i haven't tested
it myself though...
https://lists.gt.net/nsp/juniper/57674

- Aaron



More information about the juniper-nsp mailing list