Here's how I block telnet and ssh.... I have to add a firewall destination-address entry for each local route that I do not want accessible for telnet and ssh...and then apply it to the forwarding plane of the routing-instance that these addresses belong to.
set firewall family inet filter protect-5048 term 1 from destination-address 172.16.220.1/32 set firewall family inet filter protect-5048 term 1 from destination-address 172.16.224.1/32 set firewall family inet filter protect-5048 term 1 from destination-address 1.2.177.129/32 set firewall family inet filter protect-5048 term 1 from destination-address 1.2.224.129/32 set firewall family inet filter protect-5048 term 1 from destination-address 38.128.139.193/32 set firewall family inet filter protect-5048 term 1 from protocol tcp set firewall family inet filter protect-5048 term 1 from destination-port telnet set firewall family inet filter protect-5048 term 1 from destination-port ssh set firewall family inet filter protect-5048 term 1 then count protect-5048-counter set firewall family inet filter protect-5048 term 1 then discard set firewall family inet filter protect-5048 term 2 then accept set routing-instances one forwarding-options family inet filter input protect-5048 Model: acx5048 Junos: 15.1X54-D20.7 https://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=RSS ...says it was fixed to work on loopback in 12.3X54-D25.7...i haven't tested it myself though... https://lists.gt.net/nsp/juniper/57674 - Aaron _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
