On Thursday 21 February 2008, Chuck Anderson wrote: > Instead of blocking SSH on every link, block it on lo0. > Firewall filters applied to the lo0 interface are applied > to the Routing Engine itself. Be careful if you apply > filters here--be sure to allow any routing protocols into > the Routing Engine, or they will break.
On this thread, just for reference, I see the following protocols as those that would (need to) be allowed when protecting the RE: * SSH * Telnet (don't recommend if you can avoid it) * SNMP * NTP * RADIUS * TACACS+ * ICMP * IP Routing protocols (those you use, anyway) * Multicast control * LDP/RSVP * FTP * VRRP * DNS * Layer 2 protocols (as necessary) Are there any other protocols/applications that could be added to this list - perhaps to build a BCP for RE protection in typical service provider environments. Conversely, I think it would scale better if rather than allowing specifically, we restricted specifically. Else, it would potentially be more difficult to scale RE protection across multiple nodes if an operator had to explicitly allow for a new protocol/application when the network decided to support it. Cheers, Mark.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp