[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring rsh, rlogin, rexec for Stateful Firewall

Some implementations of the rsh, rlogin, rexec mechanism require the remote host to authenticate the request by opening a separate TCP session to port 113 on the client host. By default, the stateful firewall does not allow this authentication flow to go through.

To open the authentication flow, include the applications junos-ident statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level:

[edit]services {stateful-firewall {rule rule1 {term term1 {from {(source-address | destination-address);applications junos-ident;}then {accept;}}}}}

To allow Kerberos-enabled rsh, rlogin, rexec through the stateful firewall, configure the following additional applications and include them in the stateful firewall terms:

[edit]applications {application test-kerberos-kshell {Protocol tcp;destination-port kshell;}application test kerberos-klogin {protocol tcp;destination-port klogin;}}
services {stateful-firewall {rule rule1 {term term1 {from {applications [kerberos-klogin kerberos-kshell];}then {accept;}}}}}

Published: 2010-05-09

[an error occurred while processing this directive]