BTW, this appears to now be fixed in 12.3X54-D25.7. ne@ACX1000-lab# load set terminal
[Type ^D at a new line to end input] set firewall family inet filter local_acl term terminal_access from address 172.17.143.0/24 set firewall family inet filter local_acl term terminal_access from protocol tcp set firewall family inet filter local_acl term terminal_access from port ssh set firewall family inet filter local_acl term terminal_access from port telnet set firewall family inet filter local_acl term terminal_access then accept set firewall family inet filter local_acl term terminal_access_denied from protocol tcp set firewall family inet filter local_acl term terminal_access_denied from port ssh set firewall family inet filter local_acl term terminal_access_denied from port telnet set firewall family inet filter local_acl term terminal_access_denied then log set firewall family inet filter local_acl term terminal_access_denied then reject set firewall family inet filter local_acl term default-term then accept set interfaces lo0 unit 0 family inet filter input local_acl load complete [edit] ne@ACX1000-lab# commit check configuration check succeeds [edit] ne@ACX1000-lab# run show version Hostname: ACX1000-lab Model: acx1100 JUNOS Crypto Software Suite [12.3X54-D25.7] JUNOS Base OS Software Suite [12.3X54-D25.7] JUNOS Kernel Software Suite [12.3X54-D25.7] JUNOS Base OS boot [12.3X54-D25.7] JUNOS Packet Forwarding Engine Support (ACX) [12.3X54-D25.7] JUNOS Online Documentation [12.3X54-D25.7] JUNOS Routing Software Suite [12.3X54-D25.7] [edit] ne@ACX1000-lab# On Sat, Apr 2, 2016 at 2:59 AM, Mark Tinka <mark.ti...@seacom.mu> wrote: > > > On 2/Apr/16 11:04, Saku Ytti wrote: > > > > > I've always wondered why is this a hard problem, especially in low > > end? Naively I'd think that from your ASIC waste one revenue port as > > host-bound facing and implement normal port ACLs there. > > It is exactly for that reason. Vendors will assume all low-end > requirements place more emphasis on cost than security (however basic) > or generally well-practiced network operational requirements. > > They'll further justify it by saying, "If you want all the bells & > whistles, we have box for that". > > Mark. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp