Mailing List Archive

Service-Policies does not restrict SSH...
Hi there

I am trying to restrict which IP addresses can reach the SSH port on the default cluster management interface…
I first cloned the default-management service-policy to a new policy… I then restrict the service “management-ssh” to a specific range, say 10.0.2.0/24
I then modify the cluster lif and the two node management interfaces, so that they use my new service-policy.
But… I am still able to ssh into the system from 10.10.10.0/24… which makes no sense at all…
If I do the same to the management-https it _does_ work as expected…

The “old” firewall is enabled, and all policies are set to 0.0.0.0/0 (I think this old firewall is depreciated… )

So it there something specific about ssh?
(ONTAP 9.12.1)

Personally I think the “firewall” features are a mess on ONTAP at the moment… also the fact that you can only open up for IP ranges, and not specific IP addresses… so the “best” you can do is /30 I guess? Why not just allow specific IP or even ranges.. like 10.10.10.5, 10.10.10.5-10, and 10.10.20.0/24

Any help or input is appreciated ????

/H
Re: Service-Policies does not restrict SSH... [ In reply to ]
Can’t you restrict the the /32 range which is just a single host? As for the rest, I haven’t a clue or any 9.12 hosts so I can’t really help.

The real answer might be a router to block access to the management subnet/vlan and have a jump host you need to login to to do your ssh access.


Sent from my iPhone

> On Jan 3, 2023, at 1:36 PM, Heino Walther <hw@beardmann.dk> wrote:
>
> ?
> Hi there
>
> I am trying to restrict which IP addresses can reach the SSH port on the default cluster management interface…
> I first cloned the default-management service-policy to a new policy… I then restrict the service “management-ssh” to a specific range, say 10.0.2.0/24
> I then modify the cluster lif and the two node management interfaces, so that they use my new service-policy.
> But… I am still able to ssh into the system from 10.10.10.0/24… which makes no sense at all…
> If I do the same to the management-https it _does_ work as expected…
>
> The “old” firewall is enabled, and all policies are set to 0.0.0.0/0 (I think this old firewall is depreciated… )
>
> So it there something specific about ssh?
> (ONTAP 9.12.1)
>
> Personally I think the “firewall” features are a mess on ONTAP at the moment… also the fact that you can only open up for IP ranges, and not specific IP addresses… so the “best” you can do is /30 I guess? Why not just allow specific IP or even ranges.. like 10.10.10.5, 10.10.10.5-10, and 10.10.20.0/24
>
> Any help or input is appreciated ????
>
> /H
>
>
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters