Junos OS

Expand all | Collapse all

Firewall policy to block SSH

Jump to Best Answer
  • 1.  Firewall policy to block SSH

    Posted 11-01-2018 03:20

    Quick question.


    I have an interface that will be split into many logical units for VLANs to ethernet customers. I want to ensure these customers cannot SSH to any internal device but can SSH through the network. I have completed this with no problem, so that is not the question. This is though.... If I want to block said SSH access to the internal devices do I have to place the firewall policy on EVERY logical interface connected or can I place it on the main physical interface and it then extends to cover the logical?


    Hope that makes sense.....


    I can, of course, test this theory, but thought I would ask.....

  • 2.  RE: Firewall policy to block SSH

    Posted 11-01-2018 04:22


    You have to apply the firewall filter in all logical interfaces. The firewall filter will not extend to logical interfaces if you apply to only physical interface.

    You may apply the filter to loopback interface of the internal devices to control device ssh access. In the filter allow the internal networks you want to allow access  This is the recommneded method and there is no need to apply the filter to every interfaces and it is future proof.


    you can also use group config to apply the filter to all existing  logical interfaces interfaces. This method is also future proof.


    set groups block-ssh interfaces <ge-*> unit <*> family inet filter input <filter name>

    set apply-groups block-ssh

  • 3.  RE: Firewall policy to block SSH

    Posted 11-01-2018 04:53

    Hi, You can make configuration via apply-groups and wildcard.





    host@test# show groups
    test {
    interfaces {
    ge-0/0/0 {
    unit <*> {
    family inet {
    filter {
    input test-filter;
    host@test# show apply-groups
    apply-groups test;



  • 4.  RE: Firewall policy to block SSH

    Posted 11-01-2018 09:03

    Thanks guys. Works perfectly.


    One more question though please.....


    I had CoS applied too on the Logical Interfaces with an end term of "accept".... this caused the SSH to still work, so for now I have removed the CoS.

    To apply more than one policy to all the logical interfaces do I just apply the CoS policy to the "group"?


    If so, does it matter on the order within the group?



  • 5.  RE: Firewall policy to block SSH
    Best Answer

    Posted 11-01-2018 09:13

    You may use "filter input-list" in group to apply multiple firewall filters. Only one filter can be applied using "filter input" command.

    Please refer below link for details:



  • 6.  RE: Firewall policy to block SSH

    Posted 11-01-2018 09:21

    Thank you Nellikka.... So, you have both helped me.... I guess I have to flip a coin to see who gets the "accepted Solution"  🙂


    You both get "kudos"  🙂