Hello, I have a problem getting junos to filter out admin access to my router from unauthorized addresses.
I have some addresses bound to lo0.0 which I am advertising internally in my igp, and which are the 'official' addresses used for SNMP, SSH and BGP to the router. I have firewall filters also that limit access to these protocols using prefix lists and such, and these filters are applied to lo0.0. The filters work and I can observe log messages for invalid accesses to the protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access to other ip addresses bound on the router, such as ethernet interface addresses, are still being allowed. I thought, according to various junos docs, that applying a filter to lo0.0 filters out packets destined locally to the box regardless of actual interface. Could use some help. Here is the filter for ssh/telnet/snmp: term allowed-login { from { prefix-list { admin-hosts; } protocol tcp; destination-port [ ssh telnet ]; } then accept; } term no-other-logins { from { protocol tcp; destination-port [ ssh telnet ]; } then { count bad-admin-access; log; discard; } } term allowed-snmp { from { prefix-list { network-mgmt-stations; } protocol udp; destination-port snmp; } then accept; } term no-more-snmp { from { protocol udp; destination-port snmp; } then { count bad-snmp-access; log; syslog; discard; } } term allow-peers { from { source-prefix-list { bgp-peers; } protocol tcp; destination-port bgp; } then accept; } term no-other-peers { from { protocol tcp; destination-port bgp; } then { count bad-bgp-connect; discard; } } here is the config for lo0.0: family inet { filter { input-list [ limit-admin limit-bgp ALLOW ]; } address blah1/32; address blah2/32; address blah3/32 { primary; preferred; } } Thank you. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp