What hardware and software version? There were some bugs/limitations with certain combinations.
On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> Hello,
>
> I have a problem getting junos to filter out admin access to my router
> from unauthorized addresses.
>
> I have some addresses bound to lo0.0 which I am advertising internally
> in my igp, and which are the 'official' addresses used for SNMP, SSH and
> BGP to the router.
>
> I have firewall filters also that limit access to these protocols using
> prefix lists and such, and these filters are applied to lo0.0. The
> filters work and I can observe log messages for invalid accesses to the
> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access
> to other ip addresses bound on the router, such as ethernet interface
> addresses, are still being allowed. I thought, according to various
> junos docs, that applying a filter to lo0.0 filters out packets destined
> locally to the box regardless of actual interface. Could use some help.
>
>
> Here is the filter for ssh/telnet/snmp:
>
> term allowed-login {
> ??? from {
> ??????? prefix-list {
> ?????????? admin-hosts;
> ??????? }
> ??????? protocol tcp;
> ??????? destination-port [ ssh telnet ];
> ??? }
> ??? then accept;
> }
> term no-other-logins {
> ??? from {
> ??????? protocol tcp;
> ??????? destination-port [ ssh telnet ];
> ??? }
> ??? then {
> ??????? count bad-admin-access;
>
> ??? ??? log;
>
> ??? ??? discard;
> ??? }
> }
> term allowed-snmp {
> ??? from {
> ??????? prefix-list {
> ??????????? network-mgmt-stations;
> ??????? }
> ??????? protocol udp;
> ??????? destination-port snmp;
> ??? }
> ??? then accept;
> }
> term no-more-snmp {
> ??? from {
> ??????? protocol udp;
> ??????? destination-port snmp;
> ??? }
> ??? then {
> ??????? count bad-snmp-access;
> ??????? log;
> ??????? syslog;
> ??????? discard;
> ??? }
> }
>
> term allow-peers {
> ??? from {
> ??????? source-prefix-list {
> ??????????? bgp-peers;
> ??????? }
> ??????? protocol tcp;
> ??????? destination-port bgp;
> ??? }
> ??? then accept;
> }
> term no-other-peers {
> ??? from {
> ??????? protocol tcp;
> ??????? destination-port bgp;
> ??? }
> ??? then {
> ??????? count bad-bgp-connect;
> ??????? discard;
> ??? }
> }
>
> here is the config for lo0.0:
>
> family inet {
> ??? filter {
> ??????? input-list [ limit-admin limit-bgp ALLOW ];
> ??? }
> ??? address blah1/32;
> ??? address blah2/32;
> ??? address blah3/32 {
> ??????? primary;
> ??????? preferred;
> ??? }
> }
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> Hello,
>
> I have a problem getting junos to filter out admin access to my router
> from unauthorized addresses.
>
> I have some addresses bound to lo0.0 which I am advertising internally
> in my igp, and which are the 'official' addresses used for SNMP, SSH and
> BGP to the router.
>
> I have firewall filters also that limit access to these protocols using
> prefix lists and such, and these filters are applied to lo0.0. The
> filters work and I can observe log messages for invalid accesses to the
> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp access
> to other ip addresses bound on the router, such as ethernet interface
> addresses, are still being allowed. I thought, according to various
> junos docs, that applying a filter to lo0.0 filters out packets destined
> locally to the box regardless of actual interface. Could use some help.
>
>
> Here is the filter for ssh/telnet/snmp:
>
> term allowed-login {
> ??? from {
> ??????? prefix-list {
> ?????????? admin-hosts;
> ??????? }
> ??????? protocol tcp;
> ??????? destination-port [ ssh telnet ];
> ??? }
> ??? then accept;
> }
> term no-other-logins {
> ??? from {
> ??????? protocol tcp;
> ??????? destination-port [ ssh telnet ];
> ??? }
> ??? then {
> ??????? count bad-admin-access;
>
> ??? ??? log;
>
> ??? ??? discard;
> ??? }
> }
> term allowed-snmp {
> ??? from {
> ??????? prefix-list {
> ??????????? network-mgmt-stations;
> ??????? }
> ??????? protocol udp;
> ??????? destination-port snmp;
> ??? }
> ??? then accept;
> }
> term no-more-snmp {
> ??? from {
> ??????? protocol udp;
> ??????? destination-port snmp;
> ??? }
> ??? then {
> ??????? count bad-snmp-access;
> ??????? log;
> ??????? syslog;
> ??????? discard;
> ??? }
> }
>
> term allow-peers {
> ??? from {
> ??????? source-prefix-list {
> ??????????? bgp-peers;
> ??????? }
> ??????? protocol tcp;
> ??????? destination-port bgp;
> ??? }
> ??? then accept;
> }
> term no-other-peers {
> ??? from {
> ??????? protocol tcp;
> ??????? destination-port bgp;
> ??? }
> ??? then {
> ??????? count bad-bgp-connect;
> ??????? discard;
> ??? }
> }
>
> here is the config for lo0.0:
>
> family inet {
> ??? filter {
> ??????? input-list [ limit-admin limit-bgp ALLOW ];
> ??? }
> ??? address blah1/32;
> ??? address blah2/32;
> ??? address blah3/32 {
> ??????? primary;
> ??????? preferred;
> ??? }
> }
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp