What's difference between your junos script and this apply-path? set policy-options prefix-list router-ipv4 apply-path "interfaces <*> unit <*> family inet address <*>"
2016-04-15 13:10 GMT-03:00 Aaron <aar...@gvtc.com>: > Thanks Krasi, Hmmm, this looks very interesting, I want to try it in my > lab… also, please let me know if this will ONLY work for my > routing-instance vrf “one” interfaces… > > > > My vrf “one” is where my public/vulnerable ip’s live… > > > > I don’t need to protect my default core vrf which is all 10.x.x.x and that > domain is behing a mgmt. net firewall boundary > > > > Aaron > > > > From: Krasimir Avramski [mailto:kr...@smartcom.bg] > Sent: Friday, April 15, 2016 6:51 AM > To: Aaron <aar...@gvtc.com> > Cc: Chris Jones <ipv6fre...@gmail.com>; Juniper-Nsp < > juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] protect ssh and telnet > > > > Hi Aaron, > > > > Below is commit script which is building dynamic prefix list (containing > local IPv4 addresses) you could reference in FTF: > > > > krasi# show system scripts commit > > allow-transients; > > file ifl-addr-v4.slax; > > > > > > > > > > krasi# run file show /var/db/scripts/commit/ifl-addr-v4.slax > > version 1.0; > > > > ns junos = "http://xml.juniper.net/junos/*/junos"; > > ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; > > ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; > > > > import "../import/junos.xsl"; > > > > match configuration { > > <transient-change> { > > <policy-options> { > > <prefix-list replace="replace"> { > > <name> "ifl-addr-v4"; > > for-each (interfaces/interface/unit/family/inet/address) > { > > var $address = substring-before(name, "/"); > > <prefix-list-item> { > > <name> $address; > > } > > } > > } > > } > > } > > } > > > > > > > > krasi# show policy-options |display inheritance |display commit-scripts > > prefix-list ifl-addr-v4 { > > 1.1.1.1/32 <http://1.1.1.1/32> ; > > 10.10.111.1/32 <http://10.10.111.1/32> ; > > } > > > > > > krasi# set interfaces xe-0/0/0 unit 0 family inet address 2.2.2.2/30 < > http://2.2.2.2/30> > > > > [edit] > > root# commit > > commit complete > > > > [edit] > > root# show policy-options |display inheritance |display commit-scripts > > prefix-list ifl-addr-v4 { > > 1.1.1.1/32 <http://1.1.1.1/32> ; > > 2.2.2.2/32 <http://2.2.2.2/32> ; > > 10.10.111.1/32 <http://10.10.111.1/32> ; > > } > > > > > > Best Regards, > > Krasi > > > > On 13 April 2016 at 23:43, Aaron <aar...@gvtc.com <mailto:aar...@gvtc.com> > > wrote: > > Thanks Chris, but apparently the Juniper ACX5048 is an exception to the > lo0 rule… see link > > > > http://kb.juniper.net/InfoCenter/index?page=content < > http://kb.juniper.net/InfoCenter/index?page=content < > http://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192> > &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192> > &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192 > > > > I’ve been able to accomplish protecting telnet/ssh on my ACX5048 like this… > > > > set routing-instances one forwarding-options family inet filter input > protect-5048 > > set firewall family inet filter protect-5048 term 1 from > destination-address 1.1.1.1/32 <http://1.1.1.1/32> > > set firewall family inet filter protect-5048 term 1 from protocol tcp > > set firewall family inet filter protect-5048 term 1 from destination-port > telnet > > set firewall family inet filter protect-5048 term 1 from destination-port > ssh > > set firewall family inet filter protect-5048 term 1 then count > protect-5048-counter > > set firewall family inet filter protect-5048 term 1 then discard > > set firewall family inet filter protect-5048 term 2 then accept > > > > 1.1.1.0/24 <http://1.1.1.0/24> is a subnet on an interface in vrf “one” > on my acx5048… > > > > The only thing is that I will need to make it a policy with my colleagues > that if/when we churn public address space or add new interfaces on our > acx5048’s, part of the process will be to add a line to our firewall acl… > > > > set firewall family inet filter protect-5048 term 1 from > destination-address 1.1.2.1/32 <http://1.1.2.1/32> > > set firewall family inet filter protect-5048 term 1 from > destination-address 1.1.3.1/32 <http://1.1.3.1/32> > > etc > > > > QUESTION – does anyone know how to make this firewall acl or include a > confition or policy somehow to apply the firewall policy to ONLY LOCAL > ROUTES (/32’s) ? that would be nice , so that I would never have to > add/subtract specific ip addresses in this firewall policy. > > > > Aaron > > > > > > > > From: Chris Jones [mailto:ipv6fre...@gmail.com <mailto: > ipv6fre...@gmail.com> ] > Sent: Wednesday, April 13, 2016 10:05 AM > To: Aaron <aar...@gvtc.com <mailto:aar...@gvtc.com> > > Cc: juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net> > Subject: Re: [j-nsp] protect ssh and telnet > > > > To answer OPs actual question: > > > > What you're looking for is an RE filter, applied to lo0. A great resource > explaining them and some best practices, etc. check out Doug Hank's Day One > book: > http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/ > > > > On Tue, Mar 29, 2016 at 10:26 PM, Aaron <aar...@gvtc.com <mailto: > aar...@gvtc.com> <mailto:aar...@gvtc.com <mailto:aar...@gvtc.com> > > > wrote: > > I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces > on my juniper ACX5048's. > > > > In Cisco you can protect the virtual interface (vty) with a acl > (access-class) so that any remote login attempts (ssh or telnet) or > protected. > > > > How do I protect ssh and telnet globally in Junos ? I only want to allow > ssh and telnet from certain trusted management subnets. > > > > Aaron > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net <mailto: > juniper-nsp@puck.nether.net> <mailto:juniper-nsp@puck.nether.net <mailto: > juniper-nsp@puck.nether.net> > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > > > -- > > Chris Jones > JNCIE-ENT #272 > CCIE# 25655 (R&S) > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net <mailto: > juniper-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp