Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring a Filter to Block Telnet and SSH Access

    Requirements

    You must have access to a remote host that has network connectivity with this device.

    Overview

    In this example, you create an IPv4 stateless firewall filter that logs and rejects Telnet or SSH access packets unless the packet is destined for or originates from the 192.168.1.0/24 subnet.

    • To match packets destined for or originating from the address 192.168.1.0/24 subnet, you use the source-address 192.168.1.0/24 IPv4 match condition.
    • To match packets destined for or originating from a TCP port, Telnet port, or SSH port, you use the protocol tcp, port telnet, and telnet ssh IPv4 match conditions.

    Configuration

    The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

    To configure this example, perform the following tasks:

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

    set firewall family inet filter local_acl term terminal_access from source-address 192.168.1.0/24set firewall family inet filter local_acl term terminal_access from protocol tcpset firewall family inet filter local_acl term terminal_access from port sshset firewall family inet filter local_acl term terminal_access from port telnetset firewall family inet filter local_acl term terminal_access then acceptset firewall family inet filter local_acl term terminal_access_denied from protocol tcpset firewall family inet filter local_acl term terminal_access_denied from port sshset firewall family inet filter local_acl term terminal_access_denied from port telnetset firewall family inet filter local_acl term terminal_access_denied then logset firewall family inet filter local_acl term terminal_access_denied then rejectset firewall family inet filter local_acl term default-term then acceptset interfaces lo0 unit 0 family inet filter input local_acl set interfaces lo0 unit 0 family inet address 127.0.0.1/32

    Configure the Stateless Firewall Filter

    Step-by-Step Procedure

    To configure the stateless firewall filter that selectively blocks Telnet and SSH access:

    1. Create the stateless firewall filter local_acl.

      [edit]user@myhost# edit firewall family inet filter local_acl
    2. Define the filter term terminal_access.

      [edit firewall family inet filter local_acl]user@myhost# set term terminal_access from source-address 192.168.1.0/24 user@myhost# set term terminal_access from protocol tcp user@myhost# set term terminal_access from port ssh user@myhost# set term terminal_access from port telnet user@myhost# set term terminal_access then accept
    3. Define the filter term terminal_access_denied.

      [edit firewall family inet filter local_acl]user@myhost# set term terminal_access_denied from protocol tcp user@myhost# set term terminal_access_denied from port ssh user@myhost# set term terminal_access_denied from port telnet user@myhost# set term terminal_access_denied then log user@myhost# set term terminal_access_denied then reject user@myhost# set term default-term then accept

    Apply the Firewall Filter to the Loopback Interface

    Step-by-Step Procedure

    • To apply the firewall filter to the loopback interface:

      [edit]user@myhost# set interfaces lo0 unit 0 family inet filter input local_acluser@myhost# set interfaces lo0 unit 0 family inet address 127.0.0.1/32

    Confirm and Commit Your Candidate Configuration

    Step-by-Step Procedure

    To confirm and then commit your candidate configuration:

    1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

      [edit]user@myhost# show firewall
      family inet {filter local_acl {term terminal_access {from {source-address {192.168.1.0/24;}protocol tcp;port [ssh telnet];}then accept;}term terminal_access_denied {from {protocol tcp;port [ssh telnet];}then {log;reject;}}term default-term {then accept;}}}
    2. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

      [edit]user@myhost# show interfaces
      lo0 {unit 0 {family inet {filter {input local_acl; }source-address 127.0.0.1/32;}}}
    3. If you are done configuring the device, commit your candidate configuration.

      [edit]user@myhost# commit

    Verification

    Confirm that the configuration is working properly.

    Verifying Accepted Packets

    Purpose

    Verify that the actions of the firewall filter terms are taken.

    Action

    1. Clear the firewall log on your router or switch.
      user@myhost> clear firewall log
    2. From a host at an IP address within the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you can log in to the device using only SSH. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.
      user@host-A> ssh myhost
      user@myhosts’s password: 
      --- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC
      % cli
      user@myhost> 
    3. From a host at an IP address within the 192.168.1.0/24 subnet, use the telnet hostname command to verify that you can log in to your router or switch using only Telnet. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.
      user@host-A> telnet myhost
      Trying 192.168.249.71... 
      Connected to myhost-fxp0.example.net.
      Escape character is '^]'.
      
      host (ttyp0)
      login: user
      Password:
      
      --- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC
      % cli
      user@myhost> 
    4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.
      user@myhost> show firewall log

    Verifying Logged and Rejected Packets

    Purpose

    Verify that the actions of the firewall filter terms are taken.

    Action

    1. Clear the firewall log on your router or switch.
      user@myhost> clear firewall log
    2. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you cannot log in to the device using only SSH. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the Packet Forwarding Engine.
      user@host-B ssh myhost
      ssh: connect to host sugar port 22: Connection refused 
      --- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC 
      % 
    3. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the telnet hostname command to verify that you can log in to the device using only Telnet. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the PFE.
      user@host-B> telnet myhost
      Trying 192.168.249.71... 
      telnet: connect to address 192.168.187.3: Connection refused
      telnet: Unable to connect to remote host
      %
    4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.
      user@myhost> show firewall log
      Time     Filter    Action Interface Protocol Src Addr       Dest Addr
      18:41:25 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
      18:41:25 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
      18:41:25 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
      ...
      18:43:06 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
      18:43:06 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
      18:43:06 local_acl R      fxp0.0    TCP      192.168.187.5  192.168.187.1
      ...

    Modified: 2017-02-14