Example: Configuring a Filter to Block Telnet and SSH Access

 

Requirements

You must have access to a remote host that has network connectivity with this device.

Overview

In this example, you create an IPv4 stateless firewall filter that logs and rejects Telnet or SSH access packets unless the packet is destined for or originates from the 192.168.1.0/24 subnet.

  • To match packets destined for or originating from the address 192.168.1.0/24 subnet, you use the source-address 192.168.1.0/24 IPv4 match condition.

  • To match packets destined for or originating from a TCP port, Telnet port, or SSH port, you use the protocol tcp, port telnet, and telnet ssh IPv4 match conditions.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configure the Stateless Firewall Filter

Step-by-Step Procedure

To configure the stateless firewall filter that selectively blocks Telnet and SSH access:

  1. Create the stateless firewall filter local_acl.

  2. Define the filter term terminal_access.

  3. Define the filter term terminal_access_denied.

Apply the Firewall Filter to the Loopback Interface

Step-by-Step Procedure

  • To apply the firewall filter to the loopback interface:

Confirm and Commit Your Candidate Configuration

Step-by-Step Procedure

To confirm and then commit your candidate configuration:

  1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  2. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  3. If you are done configuring the device, commit your candidate configuration.

Verification

Confirm that the configuration is working properly.

Verifying Accepted Packets

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

  1. Clear the firewall log on your router or switch.
    user@myhost> clear firewall log
  2. From a host at an IP address within the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you can log in to the device using only SSH. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.
    user@host-A> ssh myhost
    % cli
  3. From a host at an IP address within the 192.168.1.0/24 subnet, use the telnet hostname command to verify that you can log in to your router or switch using only Telnet. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.
    user@host-A> telnet myhost
    login: user
    % cli
  4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.
    user@myhost> show firewall log

Verifying Logged and Rejected Packets

Purpose

Verify that the actions of the firewall filter terms are taken.

Action

  1. Clear the firewall log on your router or switch.
    user@myhost> clear firewall log
  2. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you cannot log in to the device using only SSH. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the Packet Forwarding Engine.
    user@host-B ssh myhost
  3. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the telnet hostname command to verify that you can log in to the device using only Telnet. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the PFE.
    user@host-B> telnet myhost
  4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.
    user@myhost> show firewall log