Re: [j-nsp] EX2200 series and q-in-q (802.1ad)
-Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Stephane JAUNE Sent: Wednesday, February 02, 2011 10:50 AM To: 'Juniper-Nsp' Subject: [j-nsp] EX2200 series and q-in-q (802.1ad) Hi all, Does somebody know if EX2200 series support q-in-q ? we would like to use some of them to tag customer traffic with a S-VLAN, and I only found that 802.1Q is supported. Regards. Q-in-Q is now supported in 11.1, if you're that brave to use it. Haven't tested it out yet to see what features are really available, but release notes indicate that it's supported. -evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
On Fri, Apr 01, 2011 at 08:23:31PM -0400, Jesus Alvarez wrote: Is there a way to change the SSH port for managing the EX switches and M routers? We normally avoid using the standard port 22. No. I've been asking for that feature since... hm, around 2003 or so. Probably no customer demand. :-) Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
On Sat, Apr 02, 2011 at 02:14:12PM +0200, Daniel Roesen wrote: On Fri, Apr 01, 2011 at 08:23:31PM -0400, Jesus Alvarez wrote: Is there a way to change the SSH port for managing the EX switches and M routers? We normally avoid using the standard port 22. No. I've been asking for that feature since... hm, around 2003 or so. Probably no customer demand. :-) I wonder if you could create an /etc/ssh/sshd_config file and set the port number in there... ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
On 02.04.2011 14:22, Chuck Anderson wrote: I wonder if you could create an /etc/ssh/sshd_config file and set the port number in there... Not exactly, because the sshd is started by inetd - you can as root change that file - but you have to ensure it doesn't get changed by mgd. So a cron script checking for what is in there once an hour does the trick.. Tom ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
No, I've been asking for this feature. :) Thanks for your answer. It should be trivial to implement a configurable SSH port in the Junos firmware and this would help in securing the router. Practically all scanners attempt SSH logins when port 22 is available but very few check all available ports. It is surprising that Juniper does not provide a way to change the SSH port. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
Not exactly, because the sshd is started by inetd - you can as root change that file - but you have to ensure it doesn't get changed by mgd. So a cron script checking for what is in there once an hour does the trick.. Thanks for your answer. That sounds like a clever workaround. Are the sshd_config options the same as in OpenSSH? On Junos 10.2R3.10 there is no /etc/ssh/sshd_config. Can I just create a file with a single line to change the port (leaving all other options as defaults)? e.g. something like Port x Could you share the portion of your cron script that replaces sshd_config and restarts sshd when required? I guess port 22 would still be available between the time mgd changes the ssh_config and the time the cron script restarts sshd. How frequently do you see mgd changing the sshd_config? The SSH port should be configurable in the Junos config but this may be a reasonable way to get it implemented. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Changing SSH port on EX switches, M routers
You should probably think about doing IP-based filtering on your management networks. It's going to guarantee a drop in random port scans/login attempts vs obfuscating the listen port of ssh. Scott On Sat, Apr 2, 2011 at 11:13 AM, Jesus Alvarez jalva...@prw.net wrote: No, I've been asking for this feature. :) Thanks for your answer. It should be trivial to implement a configurable SSH port in the Junos firmware and this would help in securing the router. Practically all scanners attempt SSH logins when port 22 is available but very few check all available ports. It is surprising that Juniper does not provide a way to change the SSH port. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JUNOS and MS RPC
Hello all, Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS ms-rpc-any isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team. Thanks, Glenn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat emptor. Nice on paper and very similar to Linux conntrack modules, but in reality the rule of thumb is it's better to have them disabled. In the case of Microsoft, their technical papers will say your firewall should allow 1024-65535 open. In my datacenters, the only place where I find this to be necessary is to domain controllers. Most other MS software can happily run off a specific TCP port. YMMV. Scott On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger gkrutsin...@compassion.com wrote: Hello all, Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS ms-rpc-any isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team. Thanks, Glenn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] JUNOS and MS RPC
Agreed. ALGs seem to always cause headaches. Turn them off and pretend they don't exist and you'll be better off. (Think of them like that crazy guy/girl you wanted to date in High School... Same thing really.) On Apr 2, 2011, at 4:38 PM, Scott T. Cameron wrote: I've got two sets of SRX3400 clusters, and the ALGs should come with: caveat emptor. Nice on paper and very similar to Linux conntrack modules, but in reality the rule of thumb is it's better to have them disabled. In the case of Microsoft, their technical papers will say your firewall should allow 1024-65535 open. In my datacenters, the only place where I find this to be necessary is to domain controllers. Most other MS software can happily run off a specific TCP port. YMMV. Scott On Sat, Apr 2, 2011 at 4:33 PM, Glenn Krutsinger gkrutsin...@compassion.com wrote: Hello all, Is anyone running MS products through SRX firewalls? How are you getting RPC to work? According to engineering, the ScreenOS ms-rpc-any isn't included in JUNOS, although, I do see the ALG catching the info based off of endpoint mapper sessions. Add to that the fact that MS changed their port range for RPC with Server 2008 has given me some real fun conversations with our server team. Thanks, Glenn ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp