On Jan 30, 2012, at 1:05 AM, Per Granath wrote: >> Im trying a basic filer to deny traffic to lo0. >> SSH, OSPF and ICMP is allowed. >> >> It doesnt work, it allows all traffic. >> >> Same filter work on a ge-interface. >> >> ge-1/0/0 { >> unit 0 { >> family inet { >> filter { >> input admin-access; >> } >> address 10.1.1.1/29; >> } >> } >> } >> lo0 { >> unit 0 { >> family inet { >> filter { >> input admin-access; >> } >> address 10.2.1.1/32; >> } >> } >> } >> >> firewall { >> family inet { >> filter admin-access { >> term ssh-access { >> from { >> address { >> 10.1.2.0/24; >> } >> } >> then accept; >> } > > You only need it applied on the lo0 interface. > For ssh, change "address" to "source-address", since just "address" mean > either source or destination. > Also, add "protocol ssh" to that from statement.
There's no "protocol ssh". You want "protocol tcp" and "destination-port ssh": [edit firewall family inet filter admin-access] user@host# show term ssh-access { from { source-address { 10.1.2.0/24; } protocol tcp; destination-port ssh; } then accept; } --Stacy _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp