Do Firewall Filters on Olive Work ?

Jmiller1980

Guys,

I built the filters below to block ssh traffic and everytime I apply to my em0.0 all traffic stops through the interface. What am I doing wrong to cause this ?

firewall {
filter local-access {
term terminal-access {
from {
address {
192.20.20.28/32;
}
protocol tcp;
port ssh;
}
then accept;
}
term no-access {
from {
protocol tcp;
port ssh;
}
then {
log;
reject;
}
}
}
filter Kill-SSH {
term Kill-SSH-192.20.20.28 {
from {
source-address {
192.20.20.28/32;
}
protocol tcp;
port ssh;
}
then accept;
}
}
}

interfaces {
em0 {
unit 0 {
family inet {
filter {
input Kill-SSH;
}
address 192.20.20.250/24;

Model: olive
JUNOS Base OS boot [10.1R1.8]
JUNOS Base OS Software Suite [10.1R1.8]
JUNOS Kernel Software Suite [10.1R1.8]
JUNOS Crypto Software Suite [10.1R1.8]
JUNOS Packet Forwarding Engine Support (M/T Common) [10.1R1.8]
JUNOS Packet Forwarding Engine Support (M20/M40) [10.1R1.8]
JUNOS Online Documentation [10.1R1.8]
JUNOS Voice Services Container package [10.1R1.8]
JUNOS Border Gateway Function package [10.1R1.8]
JUNOS Services AACL Container package [10.1R1.8]
JUNOS Services LL-PDF Container package [10.1R1.8]
JUNOS Services Stateful Firewall [10.1R1.8]
JUNOS AppId Services [10.1R1.8]
JUNOS IDP Services [10.1R1.8]
JUNOS Routing Software Suite [10.1R1.8]

Find more posts tagged with

Comments

networker050184

I'm not too familiar with olives, but what are you trying to accomplish with this filter? Keep in mind there is an implicit deny at the end of your filter that will block everything else.

froggy3132000

I am not sure that firewall filters work properly within olives. However the filter you have applied only permits ssh from 192.20.20.28. You are not permitting anything else. Where is the local-access filter being applied?

Jmiller1980

froggy3132000 wrote: »

I am not sure that firewall filters work properly within olives. However the filter you have applied only permits ssh from 192.20.20.28. You are not permitting anything else. Where is the local-access filter being applied?

So How would I apply one to allow ssh from EV1 in 192.20.20.0/24 and only block 192.20.20.28.

or

Only allow ssh from 192.20.20.28 and block all other ip's in the Subnet.

ofirzzz

the default policy is deny any other traffic so just add last term that permit other traffic.

Mishra

images?q=tbn:ANd9GcRR43J7NcFUU14LQN3hu0VS5eKXD0Rpq5luy5Hj39yFmR5OXdK_

?

Interesting question...

Aldur

LOLOLOLOOL oh man, Mishra, that gave me a good laugh.

And to the OPs question, Yip, firewall filters definitely work on an olive. I've used one as a jump box from the outside world and I had to put a firewall filter in place to block friendly people from China attempting to brute force their way into my olive.

And it worked like a charm.