True, i have seen those. I understand i would need to think of everything needed. So even OSPF, BGP, basically any protocol i would use. But i dont need to worry about traffic transiting the switch such as customer services, like http, ftp, etc. Correct?
Thanks, Brendan ----- Original Message ----- From: "Stefan Fouant" <sfou...@gmail.com> To: "Brendan Mannella" <bmanne...@teraswitch.com>, "juniper-nsp" <juniper-nsp@puck.nether.net> Sent: Friday, May 22, 2009 10:57:42 AM GMT -05:00 US/Canada Eastern Subject: Re: [j-nsp] SSH Filter That filter would certainly do what you want but I would strongly advise against using an accept-all term as your last term. If you truly want to take a hardened control plane security posture, why not allow that which is specifically required and drop the rest? Team Cymru has some good control plane filter templates available on their website. Regards, On 5/22/09, Brendan Mannella <bmanne...@teraswitch.com> wrote: > > > All, i know this has been covered a million times, but i just wanted to > check with the list to see if this is the best/recommended way to restrict > ssh access to a EX switch. I did google this, but noticed people doing it > different ways. > > > > > > set firewall family inet filter RE_FILTER term SSH from source-address > 10.0.0.1/32 > > set firewall family inet filter RE_FILTER term SSH from source-address > 10.0.0.2/32 > > set firewall family inet filter RE_FILTER term SSH from protocol tcp > > set firewall family inet filter RE_FILTER term SSH from destination-port 22 > > set firewall family inet filter RE_FILTER term SSH then accept > > set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp > > set firewall family inet filter RE_FILTER term SSH_BLOCK from > destination-port 22 > > set firewall family inet filter RE_FILTER term SSH_BLOCK then discard > > set firewall family inet filter RE_FILTER term everything-else then accept > > set interfaces lo0 unit 0 family inet filter input RE_FILTER > > > > > > Please Advise. > > > > Thanks, > > > > Brendan Mannella > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Stay the patient course. Of little worth is your ire. The network is down. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp