What hardware and software version? There were some bugs/limitations with certain combinations.
On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote: > Hello, > > I have a problem getting junos to filter out admin access to my router > from unauthorized addresses. > > I have some addresses bound to lo0.0 which I am advertising internally > in my igp, and which are the 'official' addresses used for SNMP, SSH and > BGP to the router. > > I have firewall filters also that limit access to these protocols using > prefix lists and such, and these filters are applied to lo0.0. The > filters work and I can observe log messages for invalid accesses to the > protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access > to other ip addresses bound on the router, such as ethernet interface > addresses, are still being allowed. I thought, according to various > junos docs, that applying a filter to lo0.0 filters out packets destined > locally to the box regardless of actual interface. Could use some help. > > > Here is the filter for ssh/telnet/snmp: > > term allowed-login { > from { > prefix-list { > admin-hosts; > } > protocol tcp; > destination-port [ ssh telnet ]; > } > then accept; > } > term no-other-logins { > from { > protocol tcp; > destination-port [ ssh telnet ]; > } > then { > count bad-admin-access; > > log; > > discard; > } > } > term allowed-snmp { > from { > prefix-list { > network-mgmt-stations; > } > protocol udp; > destination-port snmp; > } > then accept; > } > term no-more-snmp { > from { > protocol udp; > destination-port snmp; > } > then { > count bad-snmp-access; > log; > syslog; > discard; > } > } > > term allow-peers { > from { > source-prefix-list { > bgp-peers; > } > protocol tcp; > destination-port bgp; > } > then accept; > } > term no-other-peers { > from { > protocol tcp; > destination-port bgp; > } > then { > count bad-bgp-connect; > discard; > } > } > > here is the config for lo0.0: > > family inet { > filter { > input-list [ limit-admin limit-bgp ALLOW ]; > } > address blah1/32; > address blah2/32; > address blah3/32 { > primary; > preferred; > } > } _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp