Assuming an MX, application of the filter can be applied to the loopback interface. This will effectively provide a "system wide" filter. Yes, you would need to allow for control-plane protocols and such. Doug Hank's MX book has a very excellent layout of this methodology:
https://www.safaribooksonline.com/library/view/juniper-mx-series/9781449358143/ch04s01.html It also goes into methods of using dynamic prefix filters that update whenever a new interface (address) or bgp peer or whatever is added. That all works pretty well on MX gear, EX is a bit of a different beast and your filter space is much much smaller. Hope that helps a bit, --chip On Mon, Jul 25, 2016 at 4:55 PM, Jason Lixfeld <jason-j...@lixfeld.ca> wrote: > Hi, > > I’m trying to write filters to prevent management access to my system > (ssh, SNMP, etc), and I’m unsure about where to apply them. > > Let’s assume I have IPs configured on a bunch of interfaces, both physical > and logical, and I don’t want the majority of them to be able to accept > management attempts to my system. > > One way to prevent this is is to apply a filter to each interface where > there is an IP configured, but I can’t imagine that scales very well. > > Another way I was reading about is to apply a filter via > forwarding-options: > > set forwarding-options family inet filter <filter_name> > > Is this an appropriate way to accomplish this, or should I be looking at a > different method? > > If this is acceptable, my next question is bound to be how a system-wide > filter like that would affects protocols that actually need to talk to the > RE, like BFD, ISIS, BGP, etc., but maybe I can leave that for another > thread :) > > Previously, I tried to apply filters to various lo0 units, thinking those > were the only interface to the RE, but that didn’t seem to help for cases > where the IPs were applied to interfaces other than lo0 units. And I > haven’t been able to find a way to apply a filter or client list > specifically to the ssh service itself like you can with snmp, for example. > > Thanks in advance. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- Just my $.02, your mileage may vary, batteries not included, etc.... _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp