[j-nsp] firewall filter misses connected interface addresses
Mike
mike+lists at yourtownonline.com
Mon Dec 9 10:42:02 EST 2019
Hello,
I have a problem getting junos to filter out admin access to my router
from unauthorized addresses.
I have some addresses bound to lo0.0 which I am advertising internally
in my igp, and which are the 'official' addresses used for SNMP, SSH and
BGP to the router.
I have firewall filters also that limit access to these protocols using
prefix lists and such, and these filters are applied to lo0.0. The
filters work and I can observe log messages for invalid accesses to the
protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access
to other ip addresses bound on the router, such as ethernet interface
addresses, are still being allowed. I thought, according to various
junos docs, that applying a filter to lo0.0 filters out packets destined
locally to the box regardless of actual interface. Could use some help.
Here is the filter for ssh/telnet/snmp:
term allowed-login {
from {
prefix-list {
admin-hosts;
}
protocol tcp;
destination-port [ ssh telnet ];
}
then accept;
}
term no-other-logins {
from {
protocol tcp;
destination-port [ ssh telnet ];
}
then {
count bad-admin-access;
log;
discard;
}
}
term allowed-snmp {
from {
prefix-list {
network-mgmt-stations;
}
protocol udp;
destination-port snmp;
}
then accept;
}
term no-more-snmp {
from {
protocol udp;
destination-port snmp;
}
then {
count bad-snmp-access;
log;
syslog;
discard;
}
}
term allow-peers {
from {
source-prefix-list {
bgp-peers;
}
protocol tcp;
destination-port bgp;
}
then accept;
}
term no-other-peers {
from {
protocol tcp;
destination-port bgp;
}
then {
count bad-bgp-connect;
discard;
}
}
here is the config for lo0.0:
family inet {
filter {
input-list [ limit-admin limit-bgp ALLOW ];
}
address blah1/32;
address blah2/32;
address blah3/32 {
primary;
preferred;
}
}
Thank you.
More information about the juniper-nsp
mailing list