Try adding a prefix-list match to the restrict-ssh term which contains a 0/0 route. I don't think the "except" option is meant to be used in isolation.
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:juniper-nsp- > [EMAIL PROTECTED] On Behalf Of Tore Anderson > Sent: Wednesday, October 29, 2008 3:25 PM > To: juniper-nsp@puck.nether.net > Subject: [j-nsp] Meaning of "except" in firewall filters > > Hi, > > I'm trying to restrict SSH access on some of my routers to allow > connections from just a few known source networks (defined in a prefix > list called "ssh-allowed"). I then came up with the following, and > applied it as an input filter on lo0.0: > > [edit firewall filter lo0-input] > term restrict-ssh { > from { > source-prefix-list { > ssh-allowed except; > } > protocol tcp; > destination-port ssh; > } > then { > syslog; > reject; > } > } > term fallthrough { > then accept; > } > > This didn't work as expected, SSH connections was still allowed from > any host (both from inside networks found inside ssh-allowed as well as > from outside). It seems like the restrict-ssh term never matched. > > If I removed the "except", it worked as I would have thought - > connections from hosts inside prefixes found in the ssh-allowed prefix > list was denied, while connections from the rest of the internet was > allowed. Of course, this is the opposite behaviour of what I want. > > I can work around it by making first a term that accepts SSH from the > known prefixes, then another term that rejects all other SSH > connections, and finally the fallthrough that accepts the rest. > However this behaviour made me really curious... Isn't "except" > supposed to invert the logic of the match? That's how I understand the > help text, at least: > > except Match addresses not in this prefix list > > It doesn't seem to work that way, though. Does anyone know how it's > supposed to be used? > > Regards > -- > Tore Anderson > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp