[j-nsp] rest api - limit ip sources

Martin Tonusoo martin at jumation.com
Wed Jan 22 19:41:01 EST 2020


Hi Aaron,

> Anyone know how to limit ip addresses *in subnet notation* that are able
to communicate with the rest api ?

This does not seem to be possible with "allowed-sources". IPv4 addresses
specified under "allowed-sources" are used in /mfs/var/etc/lighttpd.conf
configuration file in regular expression not match(!~) which does not
support subnet mask. In theory, one could specify the network as regex, but
this is not supported by Junos XML Schema which requires the value of
"allowed-sources" to be ipv4addr(
https://www.juniper.net/documentation/en_US/junos-sdk/10.2/DDLRefGuide/op_type_ip_addresses.html),
i.e the only value "allowed-sources" accepts is an IPv4 address.

Can't you use RE firewall filters?

In addition, at least in Junos 18.2R1.9 the filtering implementation based
on the client IPv4 address is faulty. For example, if one allows following
two addresses:

user> show configuration system services rest control
allowed-sources [ 10.5.5.123 10.5.5.25 ];

user>

.. then this translates to lighttpd conditional configuration below:

root@:/var/home/user # head -4 /mfs/var/etc/lighttpd.conf
server.document-root = "/www/null"
$HTTP["remoteip"] !~ "10.5.5.25|10.5.5.123" {
    url.access-deny = ( "" )
}
root@:/var/home/user #

However, this doesn't permit just 10.5.5.123 and 10.5.5.25, but also for
example 10.5.5.250 or 10.5.5.254.


WBR,
Martin


More information about the juniper-nsp mailing list