Hello;
I have a prefix list and firewall filter applied to the Lo0.0 interface in input direction. If I try to ssh to the loopback IP address from a PC with random IP address, I cannot see the login prompt on the terminal window which is expected. But when I try to ssh to the IP addresses assigned to the FXP 0 interface, router asks me to enter password, which is not expected, as the source address is not among allowed list. I should not be able to see login prompt when connecting to the FXP 0 interface on MX router from a PC that its IP address is not among my allowed prefix list. So how can I apply my filter to the FXP interface?
set interfaces lo0 unit 0 family inet address 10.10.1.1/32
set interfaces lo0 unit 0 family inet filter input MGMT-FILTER
set firewall filter MGMT-FILTER term SSH from prefix-list SSH
set firewall filter MGMT-FILTER term SSH from protocol tcp
set firewall filter MGMT-FILTER term SSH from destination-port ssh
set firewall filter MGMT-FILTER term SSH then accept
set firewall filter MGMT-FILTER term SSH-DENY from protocol tcp
set firewall filter MGMT-FILTER term SSH-DENY from destination-port ssh
set firewall filter MGMT-FILTER term SSH-DENY then discard
set firewall filter MGMT-FILTER term DEFAULT then accept
Prefix list:
set policy-options prefix-list SSH 10.0.0.0/8
set policy-options prefix-list SSH 192.168.1.0/24
My MX router has 2 Route Engines in HA mode and its configuration is like this:
groups
re0
system
host-name mx-re0
backup-router 172.16.10.1 destination 0.0.0.0/0
interfaces
fxp0
unit 0
family inet
address 172.16.10.100/24
master-only
address 172.16.10.101/24
re1
system
host-name mx-re1
backup-router 172.16.10.1 destination 0.0.0.0/0
interfaces
fxp0
unit 0
family inet
address 172.16.10.100/24
master-only
address 172.16.10.102/24
As seen above, FXP 0 interface IP addresses are 172.16.10.101 and 172.16.10.102 and shared IP address of them is 172.16.10.100. These IP addresses are reachable to me.
To test the filter, I have a device that I'm going to use and its IP address is 10.20.20.1
Test from PC (10.20.20.1):
pc1> ssh root@172.16.10.100
ECDSA key fingerprint is SHA256:TQonFpuShz67EkwdcE1g.
Are you sure you want to continue connecting (yes/no)? yes
Password:
Password:
.
.
.
pc1> ssh root@10.10.1.1
^C
As it is seen, ssh to loopback IP address was blocked and the password prompt was not shown to me, but I got the password prompt while ssh'ing to the IP address of FXP 0 interface. Any idea?
Regards;
------------------------------
TAYMAZ MOHSENZADEH
------------------------------