system-services (Security Zones Host Inbound Traffic)

• all—Traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services. Enabling all the system services does not override any interface-specific configuration under a particular zone.

• any-service—All system services on an entire port range including the system services that are not defined.

• bootp—Traffic destined to BOOTP and DHCP relay agents

• dhcp—DHCP requests

• dhcpv6—DHCP requests for IPv6

• dns—DNS services

• finger—Finger traffic

• ftp—FTP traffic

• http—J-Web or clear-text Web authentication traffic

• https—J-Web or Web authentication traffic over Secure Sockets Layer (SSL)

• ident-reset—Access that has been blocked by an unacknowledged identification request

• ike—Internet Key Exchange (IKE) traffic

• lsping—Label-switched path (LSP) ping service

• netconf—NETCONF service

• ntp—Network Time Protocol (NTP) traffic

• ping—ICMP echo request responses

• r2cp—Radio-to-Router Control Protocol traffic

• reverse-ssh—Reverse SSH traffic

• reverse-telnet—Reverse Telnet traffic

• rlogin—Incoming rlogin (remote login) traffic

• rpm—Real-time performance monitoring (RPM) traffic

• rsh—Remote shell (rsh) traffic

• snmp—SNMP traffic (UDP port 161)

• snmp-trap—SNMP traps (UDP port 162)

• ssh—SSH traffic

• telnet—Telnet traffic

• tftp—TFTP services

• traceroute—Traceroute traffic (UDP port 33434)

• xnm-clear-text—Junos XML protocol traffic for all specified interfaces

• xnm-ssl— Junos XML protocol-over-SSL traffic for all specified interfaces

(Optional) Allow all inbound service traffic, except the specified service traffic types, to reach the device. In the following example, the configuration allows all system service traffic, with the exception of FTP and HTTP, to reach the device: