Hi Folks,
Is there any reason why I shouldn't allow ssh access to a remote SRX with a
firewall filter only allowing a single network on an untrust (reth) interface?
Maybe should create a loopback instead, allow system-services ssh, and apply
the filter there? My thought for using a lo interface is why force all traffic
through the filter just for a system service?
root@----LAB-1----# show firewall
filter FF_ALLOW_SSH {
term SSH-ALLOW {
from {
source-address {
1.1.1.0/24;
}
destination-address {
2.2.2.2/32;
}
destination-port ssh;
}
then accept;
}
term SSH-DENY {
from {
destination-address {
2.2.2.2/32;
}
destination-port ssh;
}
then {
reject;
}
}
term ANY-ALLOW {
then {
accept;
}
}
}
root@----LAB-1----# show interfaces
reth11 {
unit 0 {
family inet {
filter {
input FF_ALLOW_SSH;
}
address 2.2.2.2/24;
}
}
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
