Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring a Filter to Block Telnet and SSH Access

Requirements

You must have access to a remote host that has network connectivity with this router or switch.

Overview

• To match packets destined for or originating from the source-address 192.168.1.0/24 subnet, you use the address 192.168.1.0/24 IPv4 match condition.
• To match packets destined for or originating from a TCP port, Telnet port, or SSH port, you use the protocol tcp, port telnet, and telnet ssh IPv4 match conditions.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

• Configure the Stateless Firewall Filter
• Apply the Firewall Filter to the Loopback Interface
• Confirm and Commit Your Candidate Configuration

CLI Quick Configuration

Configure the Stateless Firewall Filter

Step-by-Step Procedure

1. Create the stateless firewall filter local_acl.

   [edit]user@myhost# edit firewall family inet filter local_acl

2. Define the filter term terminal_access.

   [edit firewall family inet filter local_acl]user@myhost# set term terminal_access from source-address 192.168.1.0/24 user@myhost# set term terminal_access from protocol tcp user@myhost# set term terminal_access from port ssh user@myhost# set term terminal_access from port telnet user@myhost# set term terminal_access then accept

3. Define the filter term terminal_access_denied.

   [edit firewall family inet filter local_acl]user@myhost# set term terminal_access_denied from protocol tcp user@myhost# set term terminal_access_denied from port ssh user@myhost# set term terminal_access_denied from port telnet user@myhost# set term terminal_access_denied then log user@myhost# set term terminal_access_denied then reject user@myhost# set term default-term then accept

Apply the Firewall Filter to the Loopback Interface

Step-by-Step Procedure

• To apply the firewall filter to the loopback interface:

  [edit]user@myhost# set interfaces lo0 unit 0 family inet filter input local_acluser@myhost# set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

   [edit]user@myhost# show firewall

   family inet {filter local_acl {term terminal_access {from {source-address {192.168.1.0/24;}protocol tcp;port [ssh telnet];}then accept;}term terminal_access_denied {from {protocol tcp;port [ssh telnet];}then {log;reject;}}term default-term {then accept;}}}

2. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

   [edit]user@myhost# show interfaces

   lo0 {unit 0 {family inet {filter {input local_acl; }source-address 127.0.0.1/32;}}}

3. If you are done configuring the device, commit your candidate configuration.

   [edit]user@myhost# commit

Verification

Confirm that the configuration is working properly.

• Verifying Accepted Packets
• Verifying Logged and Rejected Packets

Verifying Accepted Packets

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

1. Clear the firewall log on your router or switch.
   user@myhost> clear firewall log
2. From a host at an IP address within the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you can log in to the device using only SSH. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.
   user@host-A> ssh myhost

   user@myhosts’s password: 
   --- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

   % cli

   user@myhost> 

3. From a host at an IP address within the 192.168.1.0/24 subnet, use the telnet hostname command to verify that you can log in to your router or switch using only Telnet. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.
   user@host-A> telnet myhost

   Trying 192.168.249.71... 
   Connected to myhost-fxp0.acme.net.
   Escape character is '^]'.
   
   host (ttyp0)

   login: user

   Password:
   
   --- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

   % cli

   user@myhost> 

4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.
   user@myhost> show firewall log

Verifying Logged and Rejected Packets

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

1. Clear the firewall log on your router or switch.
   user@myhost> clear firewall log
2. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you cannot log in to the device using only SSH. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the Packet Forwarding Engine.
   user@host-B ssh myhost

   ssh: connect to host sugar port 22: Connection refused 
   --- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC 
   % 

3. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the telnet hostname command to verify that you can log in to the device using only Telnet. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the PFE.
   user@host-B> telnet myhost

   Trying 192.168.249.71... 
   telnet: connect to address 192.168.187.3: Connection refused
   telnet: Unable to connect to remote host
   %

4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.
   user@myhost> show firewall log

   Time     Filter    Action Interface Protocol Src Addr       Dest Addr
   18:41:25 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
   18:41:25 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
   18:41:25 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
   ...
   18:43:06 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
   18:43:06 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
   18:43:06 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
   ...