Good day,
we use an SSH filter for incomming connection to remotly administrator firewalls.
this means we have an list of ip adresses (permited_ssh_hosts) that may connect to the external SSH port.
the firewall rule:
firewall {
family inet {
filter protect_ssh_engine {
term permit_ssh_from_permited_hosts {
from {
source-prefix-list {
permited_ssh_hosts;
}
protocol tcp;
port ssh;
}
then accept;
}
term discard_ssh_from_all_other_hosts {
from {
protocol tcp;
port ssh;
}
then {
discard;
}
}
term permit_all_other_traffice {
then accept;
}
}
}
}
However this also limits the external SSH connections (from trust to untrust)
i see some solutions where we need to add the external ip adres to the filter rules.
However a large portion of the firewalls do no have a static ip. they use a dynamic provided ip.
is there a solution to allow all outgoing traffic and still use an ip filter in incomming ssh?