[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Host Inbound Traffic

This topic describes how to configure zones to specify the kinds of traffic that can reach the device from systems that are directly connected to its interfaces.

This feature allows you to protect the device against attacks launched from systems that are directly connected to any of its interfaces. It also enables you to selectively configure the device so that administrators can manage it using certain applications on certain interfaces. You can prohibit use of other applications on the same or different interfaces of a zone. For example, most likely you would want to ensure that outsiders not use the Telnet application from the Internet to log into the device because you would not want them connecting to your system.

This topic covers:

System Services

Any host-inbound traffic that corresponds to a service listed under this option is allowed. For example, suppose a user whose system was directly connected to interface 1.3.1.4 in zone ABC wanted to telnet into interface 2.1.2.4 in zone ABC. For this action to be allowed, the telnet application must be configured as an allowed inbound service on both interfaces and a policy must permit the traffic transmission.

Table 66 lists the supported services. A value of all indicates that traffic from all of the following services is allowed inbound on the specified interfaces (of the zone, or a single specified interface)

Table 66: Supported System Services

Supported System Services

all

http

rpm

traceroute

bootp

https

rsh

xnm-clear-text

dhcp

ike

snmp

xnm-ssl

finger

netconf

snmp-trap

 

ftp

ping

ssh

 

ident-reset

rlogin

telnet

 

Note: All services listed Table 66 (except DHCP and BOOTP) can be configured either per zone or per interface. A DHCP server is configured only per interface because the incoming interface must be known by the server to be able to send out DHCP replies.

To configure zones to allow use of supported application services as inbound services, use either J-Web or the CLI configuration editor.

J-Web Configuration

To configure the ABC zone to allow use of all the supported application services as inbound services using the J-Web configuration editor:

  1. Select Configure>CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Zones, click Configure or Edit.
  4. Next to Security zone, click Add new entry.
  5. In the Name box, type ABC and click OK.
  6. Next to Host inbound traffic, click Configure or Edit.
  7. To allow the security zone to use all of the supported application services, next to System services, click Add new entry.
  8. From the Service name list, select All and click OK.

To enable FTP and telnet for interfaces such as ge-0/0/1.3 and ge-0/0/1:

  1. Next to Interfaces, click Add new entry.
  2. In the Interface unit box, type ge-0/0/1.3 and click OK.
  3. Next to Host inbound traffic, click Configure or Edit.
  4. Next to System services, click Add new entry.
  5. From the Service name list, select ftp and click OK.
  6. Next to Interfaces, click Add new entry.
  7. In the Interface unit box, type ge-0/0/1.1 and click OK.
  8. Next to Host inbound traffic, click Configure or Edit.
  9. Next to System services, click Add new entry.
  10. From the Service name list, select telnet and click OK.

To enable FTP and telnet for interface ge-0/0/1.3 and only SNMP for interface ge-0.0/1.1:

  1. Next to Interfaces, click Add new entry.
  2. In the Interface unit box, type ge-0/0/1.3 and click OK.
  3. Next to Host inbound traffic, click Configure or Edit.
  4. Next to System services, click Add new entry.
  5. From the Service name list, select ftp and telnet, and click OK.
  6. To enable SNMP for interface ge-0.0/1.1:
  7. Next to Interfaces, click Add new entry.
  8. In the Interface unit box, type ge-0/0/1.1 and click OK.
  9. Next to Host inbound traffic, click Configure or Edit.
  10. Next to System services, click Add new entry.
  11. From the Service name list, select snmp and click OK.

To allow all configurable system services on the interface ge-0/0/1.3, except Telnet:

  1. Next to Interfaces, click Add new entry.
  2. In the Interface unit box, type ge-0/0/1.3 and click OK.
  3. Next to Host inbound traffic, click Configure or Edit.
  4. Next to System services, click Add new entry.
  5. From the Service name list, select al and click OK.
  6. Next to System services, click Add new entry.
  7. From the Service name list, select telnet and click OK.
  8. Select the Except check box and click OK.
  9. If you are finished configuring the device, commit the configuration.

CLI Configuration

To configure the ABC zone to allow use of all of the supported application services as inbound services, enter the following statements in Configure mode:

user@host# set security zones security-zone ABC host-inbound-traffic system-services all

In the following example, FTP and telnet are enabled for interfaces ge-0/0/1.3 and ge-0/0/1. You must configure FTP and telnet at the interface level, not the zone level. For incoming FTP and telnet requests to be recognized, the interface must be known to the server.

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services telnet

In the following example, FTP and telnet are enabled for interface ge-0/0/1.3 and only SNMP is enabled for interface ge-0.0/1.1.

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services telnet
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services snmp

You can use the all option to allow all configurable system services and use the except option to exclude certain services. In this example, all configurable system services are permitted on interface ge-0/0/1.3, except Telnet.

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services all
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services telnet except

In the following example, all configurable system services are permitted on interface ge-0/0/1.1, except HTTP and FTP.

user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services all
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic system-services http except
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ftp except

In the following example, telnet and FTP are enabled for security zone ABC/interface ge-0/0/1.1, but there is an interface override that takes priority and only SNMP is allowed on interface ge-0/0/1.3.

user@host# set security zones security-zone ABC host-inbound-traffic system-services telnet
user@host# set security zones security-zone ABC host-inbound-traffic system-services ftp
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services snmp

If you are finished configuring the device, commit the configuration.

Another view of the previous configuration:

security zones 
	security-zone ABC {
		host-inbound-traffic {
			system-services {
				telnet;
				ftp;
			}
		}
		interfaces {
			ge-0/0/1.1;
			ge-0/0/1.3 {
				host-inbound-traffic {
					system-services {
							snmp;

				}
			}
		}
}

For more information on host-inbound traffic parameters, see the JUNOS Software CLI Reference.

Related Topics


[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]