SRX

 View Only
last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Filter only incomming ssh

    Posted 06-29-2020 04:15

    Good day,

     

    we use an SSH filter for incomming connection to remotly administrator firewalls.

    this means we have an list of ip adresses (permited_ssh_hosts) that may connect to the external SSH port.

    the firewall rule:

    firewall {
        family inet {
            filter protect_ssh_engine {
                term permit_ssh_from_permited_hosts {
                    from {
                        source-prefix-list {
                            permited_ssh_hosts;
                        }
                        protocol tcp;
                        port ssh;
                    }
                    then accept;
                }
                term discard_ssh_from_all_other_hosts {
                    from {
                        protocol tcp;
                        port ssh;
                    }
                    then {
                        discard;
                    }
                }
                term permit_all_other_traffice {
                    then accept;
                }
            }
        }
    }

    However this also limits the external SSH connections (from trust to untrust)

    i see some solutions where we need to add the external ip adres to the filter rules.

    However a large portion of the firewalls do no have a static ip. they use a dynamic provided ip.

     

    is there a solution to allow all outgoing traffic and still use an ip filter in incomming ssh?



  • 2.  RE: Filter only incomming ssh
    Best Answer

     
    Posted 06-29-2020 05:00

    Apply the filter to your loopback interface lo0. Even if there is no address and/or the address is not the management IP it will still filter traffic destined for the RE.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-trusted-source-block-telnet-and-ssh-access.html  



  • 3.  RE: Filter only incomming ssh

    Posted 06-29-2020 07:12

    Wouw that was easy. 

    we always applied the filter to the untrust interfaces.

    thanks for making our life a litle bit easier today.