[j-nsp] ACX control plane filter
Aaron Gould
aaron1 at gvtc.com
Mon Mar 20 23:45:55 EDT 2017
Here's how I block telnet and ssh.... I have to add a firewall
destination-address entry for each local route that I do not want accessible
for telnet and ssh...and then apply it to the forwarding plane of the
routing-instance that these addresses belong to.
set firewall family inet filter protect-5048 term 1 from destination-address
172.16.220.1/32
set firewall family inet filter protect-5048 term 1 from destination-address
172.16.224.1/32
set firewall family inet filter protect-5048 term 1 from destination-address
1.2.177.129/32
set firewall family inet filter protect-5048 term 1 from destination-address
1.2.224.129/32
set firewall family inet filter protect-5048 term 1 from destination-address
38.128.139.193/32
set firewall family inet filter protect-5048 term 1 from protocol tcp
set firewall family inet filter protect-5048 term 1 from destination-port
telnet
set firewall family inet filter protect-5048 term 1 from destination-port
ssh
set firewall family inet filter protect-5048 term 1 then count
protect-5048-counter
set firewall family inet filter protect-5048 term 1 then discard
set firewall family inet filter protect-5048 term 2 then accept
set routing-instances one forwarding-options family inet filter input
protect-5048
Model: acx5048
Junos: 15.1X54-D20.7
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=RSS
...says it was fixed to work on loopback in 12.3X54-D25.7...i haven't tested
it myself though...
https://lists.gt.net/nsp/juniper/57674
- Aaron
More information about the juniper-nsp
mailing list