system-services (Security Zones Host Inbound Traffic)
Syntax
system-services { (service-name | all <service-name except>); }
Hierarchy Level
[edit security zones security-zone zone-name host-inbound-traffic]
Description
Specify the types of incoming system service traffic that can reach the device for all interfaces in a zone. You can do this in one of several ways:
You can enable traffic from each system service individually.
You can enable traffic from all system services.
You can enable traffic from all but some system services.
Options
service-name
—System-service for which traffic is allowed. The following system services are supported:all
—Enable traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services. Enabling all the system services does not override any interface specific configuration under a particular zone.any-service
—Enable all system services on entire port range including the system services that are not defined.bootp
—Enable traffic destined to BOOTP and DHCP relay agents.dhcp
—Enable incoming DHCP requests.dhcpv6
—Enable incoming DHCP requests for IPv6.dns
—Enable incoming DNS services.finger
—Enable incoming finger traffic.ftp
—Enable incoming FTP traffic.http
—Enable incoming J-Web or clear-text Web authentication traffic.https
—Enable incoming J-Web or Web authentication traffic over Secure Sockets Layer (SSL).ident-reset
—Enable the access that has been blocked by an unacknowledged identification request.ike
—Enable Internet Key Exchange traffic.lsping
—Enable label switched path ping service.netconf
—Enable incoming NETCONF service.ntp
—Enable incoming Network Time Protocol (NTP) traffic.ping
—Allow the device to respond to ICMP echo requests.r2cp
—Enable incoming Radio Router Control Protocol traffic.reverse-ssh
—Reverse SSH traffic.reverse-telnet
—Reverse Telnet traffic.rlogin
—Enable incomingrlogin
(remote login) traffic.rpm
—Enable incoming Real-time performance monitoring (RPM) traffic.rsh
—Enable incoming Remote Shell (rsh
) traffic.snmp
—Enable incoming SNMP traffic (UDP port 161).snmp-trap
—Enable incoming SNMP traps (UDP port 162).ssh
—Enable incoming SSH traffic.telnet
—Enable incoming Telnet traffic.tftp
—Enable TFTP services.traceroute
—Enable incoming traceroute traffic (UDP port 33434).xnm-clear-text
—Enable incoming Junos XML protocol traffic for all specified interfaces.xnm-ssl
— Enable incoming Junos XML protocol-over-SSL traffic for all specified interfaces.
except
—(Optional) Enable specific incoming system service traffic but only when the all option has been defined . For example, to enable all but FTP and HTTP system service traffic:set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic system-services ftp except set security zones security-zone trust host-inbound-traffic system-services http except
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5.