Thanks Ben I will review those links. I have the MX book and have read a decent portion of it. Thats what I was referring to. A quick glance shows some similar examples as to what was in the MX book. Same author so it makes sense.
On Tue, Jan 14, 2014 at 2:52 PM, Ben Dale <bd...@comlinx.com.au> wrote: > > On 14 Jan 2014, at 12:31 pm, Mark Tees <markt...@gmail.com> wrote: > > > What I was referring to was a detailed ACL/Filter for lo0 that only > allows > > traffic for enabled services on the routing engine. > > > > For example if Juniper posted a firewall filter template with all the > > possible services customers could then activate/deactivate what they need > > from the policy and log fails before discarding etc. > > What you think you're after is "show system connections" which is more or > less "netstat -an" and shows all ports that are listening on your RE - you > can now filter at will. > > Providing a list of every service for people to modify is not going to > solve these problems - "Oh hey, I'm using NTP, I'd better enable all those > rules".. > > What you actually want is an ACL with ONLY the services you've actually > configured and understand from the source/destinations you're using them > from and deny all else - then you *mostly* don't need to worry about this > sort of thing. > > If your employer is too tight to spring for the MX book (worth every cent > and then some), the following free Day One books will provide everything > you're after (sign up for a J-Net login if you don't already have one): > > > http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ > > http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/ > > http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/ > > Ben -- Regards, Mark L. Tees _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp