I would actually work with something similar to this below, because if you use a default deny all it will block any return traffic sourced from the srx because this is a stateless filter...websense, dns, ntp, etc will all be blocked by using this type of filter. My filter below permits only what you want on the services running on the unit, and blocks those same services from anywhere else, while permitting the rest. Make sure to update the permit/deny list with the extra services you need on the router/switch/firewall etc. This filter should be good for almost any JunOS device out there.
firewall {
family inet {
filter Management_ipv4 {
term 1 {
from {
prefix-list {
Management_ipv4;
}
destination-port [ http https telnet snmp ftp ssh ];
}
then {
log;
accept;
}
}
term 2 {
from {
prefix-list {
BGP-Neighbors;
}
destination-port bgp;
}
then accept;
}
term 3 {
from {
destination-port [ http https telnet snmp bgp ftp ssh ];
}
then {
discard;
}
}
term default-permit {
then accept;
}
}
}
family inet6 {
filter Management_ipv6 {
term 1 {
from {
prefix-list {
Management_ipv6;
}
destination-port [ ssh http https telnet snmp ftp ];
}
then {
log;
accept;
}
}
term 2 {
from {
prefix-list {
BGP-Neighbors;
}
destination-port bgp;
}
then accept;
}
term 3 {
from {
destination-port [ ssh http https telnet snmp bgp ftp ];
}
then discard;
}
term default-permit {
then accept;
}
}
}
}
policy-options {
prefix-list Management_ipv4 {
192.168.0.0/24;
}
prefix-list Management_ipv6 {
2001:470::/64;
}
prefix-list BGP-Neighbors {
apply-path "protocols bgp group <*> neighbor <*>";
}
}