Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  MX 204 Management ACL

    Posted 03-24-2022 09:38
    Good Morning,

    I am having an issue with my management ACL on an MX204. This is the same configuration I used on the 104s that I currently have. This is still allowing ssh connections from any IP. I also would like to limit this down to just the management interface.

    set policy-options prefix-list MGMT_Net x.x.x.0/24
    set policy-options prefix-list MGMT_Net x.x.x.0/24
    set policy-options policy-statement export-routes term export-statics from protocol static
    set policy-options policy-statement export-routes term export-statics then accept
    set policy-options policy-statement export-routes term export-direct then accept
    set firewall family inet filter MGMT term T1 from source-address 0.0.0.0/0
    set firewall family inet filter MGMT term T1 from source-prefix-list MGMT_Net except
    set firewall family inet filter MGMT term T1 from destination-port ssh
    set firewall family inet filter MGMT term T1 from destination-port https
    set firewall family inet filter MGMT term T1 from destination-port telnet
    set firewall family inet filter MGMT term T1 from destination-port http
    set firewall family inet filter MGMT term T1 from destination-port ntp
    set firewall family inet filter MGMT term T1 then discard
    set firewall family inet filter MGMT term accept_everything_else then accept


    Any help is appreciated.

    Thanks,

    Matt


  • 2.  RE: MX 204 Management ACL

    Posted 03-25-2022 09:32
    Do you have the FWF applied to the lo0.0 interface as an input??


  • 3.  RE: MX 204 Management ACL

    Posted 03-28-2022 09:45
    Yes. I have this.

    set interfaces lo0 unit 0 family inet filter input MGMT_Net

    Thanks,

    Matt


  • 4.  RE: MX 204 Management ACL

    Posted 08-04-2023 08:16

    Good Morning,

    I wanted to revisit this discussion to see if anyone else had any ideas on this. This is still being detected as openssh from external vulnerability scans.

    Thanks,

    Matt




  • 5.  RE: MX 204 Management ACL

    Posted 08-05-2023 12:09

    Maybe you could try this (basically, replacing the mix of matching source-address and source-prefix-list with only prefix-list):

    set policy-options prefix-list all_v4 0.0.0.0/0
    delete firewall family inet filter MGMT term T1 from source-address 0.0.0.0/0
    set firewall family inet filter MGMT term T1 from source-prefix-list all_v4


    ------------------------------
    Olivier Benghozi
    ------------------------------