Do Firewall Filters on Olive Work ?
Jmiller1980
Registered Users Posts: 2 ■□□□□□□□□□
in Juniper
Guys,
I built the filters below to block ssh traffic and everytime I apply to my em0.0 all traffic stops through the interface. What am I doing wrong to cause this ?
firewall {
filter local-access {
term terminal-access {
from {
address {
192.20.20.28/32;
}
protocol tcp;
port ssh;
}
then accept;
}
term no-access {
from {
protocol tcp;
port ssh;
}
then {
log;
reject;
}
}
}
filter Kill-SSH {
term Kill-SSH-192.20.20.28 {
from {
source-address {
192.20.20.28/32;
}
protocol tcp;
port ssh;
}
then accept;
}
}
}
interfaces {
em0 {
unit 0 {
family inet {
filter {
input Kill-SSH;
}
address 192.20.20.250/24;
Model: olive
JUNOS Base OS boot [10.1R1.8]
JUNOS Base OS Software Suite [10.1R1.8]
JUNOS Kernel Software Suite [10.1R1.8]
JUNOS Crypto Software Suite [10.1R1.8]
JUNOS Packet Forwarding Engine Support (M/T Common) [10.1R1.8]
JUNOS Packet Forwarding Engine Support (M20/M40) [10.1R1.8]
JUNOS Online Documentation [10.1R1.8]
JUNOS Voice Services Container package [10.1R1.8]
JUNOS Border Gateway Function package [10.1R1.8]
JUNOS Services AACL Container package [10.1R1.8]
JUNOS Services LL-PDF Container package [10.1R1.8]
JUNOS Services Stateful Firewall [10.1R1.8]
JUNOS AppId Services [10.1R1.8]
JUNOS IDP Services [10.1R1.8]
JUNOS Routing Software Suite [10.1R1.8]
I built the filters below to block ssh traffic and everytime I apply to my em0.0 all traffic stops through the interface. What am I doing wrong to cause this ?
firewall {
filter local-access {
term terminal-access {
from {
address {
192.20.20.28/32;
}
protocol tcp;
port ssh;
}
then accept;
}
term no-access {
from {
protocol tcp;
port ssh;
}
then {
log;
reject;
}
}
}
filter Kill-SSH {
term Kill-SSH-192.20.20.28 {
from {
source-address {
192.20.20.28/32;
}
protocol tcp;
port ssh;
}
then accept;
}
}
}
interfaces {
em0 {
unit 0 {
family inet {
filter {
input Kill-SSH;
}
address 192.20.20.250/24;
Model: olive
JUNOS Base OS boot [10.1R1.8]
JUNOS Base OS Software Suite [10.1R1.8]
JUNOS Kernel Software Suite [10.1R1.8]
JUNOS Crypto Software Suite [10.1R1.8]
JUNOS Packet Forwarding Engine Support (M/T Common) [10.1R1.8]
JUNOS Packet Forwarding Engine Support (M20/M40) [10.1R1.8]
JUNOS Online Documentation [10.1R1.8]
JUNOS Voice Services Container package [10.1R1.8]
JUNOS Border Gateway Function package [10.1R1.8]
JUNOS Services AACL Container package [10.1R1.8]
JUNOS Services LL-PDF Container package [10.1R1.8]
JUNOS Services Stateful Firewall [10.1R1.8]
JUNOS AppId Services [10.1R1.8]
JUNOS IDP Services [10.1R1.8]
JUNOS Routing Software Suite [10.1R1.8]
Comments
-
networker050184 Mod Posts: 11,962 ModI'm not too familiar with olives, but what are you trying to accomplish with this filter? Keep in mind there is an implicit deny at the end of your filter that will block everything else.An expert is a man who has made all the mistakes which can be made.
-
froggy3132000 Member Posts: 28 ■□□□□□□□□□I am not sure that firewall filters work properly within olives. However the filter you have applied only permits ssh from 192.20.20.28. You are not permitting anything else. Where is the local-access filter being applied?
-
Jmiller1980 Registered Users Posts: 2 ■□□□□□□□□□froggy3132000 wrote: »I am not sure that firewall filters work properly within olives. However the filter you have applied only permits ssh from 192.20.20.28. You are not permitting anything else. Where is the local-access filter being applied?
So How would I apply one to allow ssh from EV1 in 192.20.20.0/24 and only block 192.20.20.28.
or
Only allow ssh from 192.20.20.28 and block all other ip's in the Subnet. -
ofirzzz Registered Users Posts: 3 ■□□□□□□□□□the default policy is deny any other traffic so just add last term that permit other traffic.
-
Aldur Member Posts: 1,460LOLOLOLOOL oh man, Mishra, that gave me a good laugh.
And to the OPs question, Yip, firewall filters definitely work on an olive. I've used one as a jump box from the outside world and I had to put a firewall filter in place to block friendly people from China attempting to brute force their way into my olive.
And it worked like a charm."Bribe is such an ugly word. I prefer extortion. The X makes it sound cool."
-Bender