Example: Configuring a Filter to Block Telnet and SSH Access

• Requirements on page 120

• Overview on page 120

• Configuration on page 120

• Verification on page 122

Requirements

You must have access to a remote host that has network connectivity with this router or switch.

Overview

In this example, you create an IPv4 stateless firewall filter that logs and rejects Telnet or SSH access packets unless the packet is destined for or originates from the 192.168.1.0/24 subnet.

• To match packets destined for or originating from the address 192.168.1.0/24 subnet, you use the address 192.168.1.0/24 IPv4 match condition.

• To match packets destined for or originating from a TCP port, Telnet port, or SSH port, you use the protocol tcp, port telnet, and telnet ssh IPv4 match conditions.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see“Using the CLI Editor in Configuration Mode” on page 5.

To configure this example, perform the following tasks:

• Configure the Stateless Firewall Filter on page 121

• Apply the Firewall Filter to the Loopback Interface on page 121

• Confirm and Commit Your Candidate Configuration on page 121 CLI Quick

Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit]

hierarchy level.

set firewall family inet filter local_acl term terminal_access from address 192.168.1.0/24 set firewall family inet filter local_acl term terminal_access from protocol tcp

set firewall family inet filter local_acl term terminal_access from port ssh set firewall family inet filter local_acl term terminal_access from port telnet set firewall family inet filter local_acl term terminal_access then accept

set firewall family inet filter local_acl term terminal_access_denied from protocol tcp set firewall family inet filter local_acl term terminal_access_denied from port ssh set firewall family inet filter local_acl term terminal_access_denied from port telnet set firewall family inet filter local_acl term terminal_access_denied then log set firewall family inet filter local_acl term terminal_access_denied then reject set firewall family inet filter local_acl term default-term then accept

set interfaces lo0 unit 0 family inet filter input local_acl

set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Configure the Stateless Firewall Filter Step-by-Step

Procedure

To configure the stateless firewall filter that selectively blocks Telnet and SSH access:

Create the stateless firewall filter local_acl.

[edit]

user@myhost# edit firewall family inet filter local_acl 2. Define the filter term terminal_access.

[edit firewall family inet filter local_acl]

user@myhost# set term terminal_access from address 192.168.1.0/24 user@myhost# set term terminal_access from protocol tcp

user@myhost# set term terminal_access from port ssh user@myhost# set term terminal_access from port telnet user@myhost# set term terminal_access then accept 3. Define the filter term terminal_access_denied.

[edit firewall family inet filter local_acl]

user@myhost# set term terminal_access_denied from protocol tcp user@myhost# set term terminal_access_denied from port ssh user@myhost# set term terminal_access_denied from port telnet user@myhost# set term terminal_access_denied then log user@myhost# set term terminal_access_denied then reject user@myhost# set term default-term then accept

Apply the Firewall Filter to the Loopback Interface Step-by-Step

Procedure

To apply the firewall filter to the loopback interface:

[edit]

•

user@myhost# set interfaces lo0 unit 0 family inet filter input local_acl user@myhost# set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Confirm and Commit Your Candidate Configuration Step-by-Step

Procedure

To confirm and then commit your candidate configuration:

Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

[edit]

Chapter 3: Applying Firewall Filters to Routing Engine Traffic

port [ssh telnet];

}

then accept;

}

term terminal_access_denied { from {

protocol tcp;

port [ssh telnet];

} then {

log;

reject;

} }

term default-term { then accept;

} } }

2. Confirm the configuration of the interface by entering the show interfaces

configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

[edit]

user@myhost# show interfaces lo0 {

unit 0 { family inet {

filter {

input local_acl;

}

address 127.0.0.1/32;

} } }

3. If you are done configuring the device, commit your candidate configuration.

[edit]

user@myhost# commit

Verification

Confirm that the configuration is working properly.

• Verifying Accepted Packets on page 122

• Verifying Logged and Rejected Packets on page 123 Verifying Accepted Packets

Purpose Verify that the actions of the firewall filter terms are taken.

Action 1. Clear the firewall log on your router or switch.

user@myhost> clear firewall log

2. From a host at an IP address within the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you can log in to the device using only SSH. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.

user@host-A> ssh myhost user@myhosts’s password:

--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

% cli

user@myhost>

3. From a host at an IP address within the 192.168.1.0/24 subnet, use the telnet hostname command to verify that you can log in to your router or switch using only Telnet. This packet should be accepted, and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.

user@host-A> telnet myhost Trying 192.168.249.71...

Connected to myhost-fxp0.acme.net.

Escape character is '^]'.

host (ttyp0) login: user Password:

--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

% cli

user@myhost>

4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.

user@myhost> show firewall log

Verifying Logged and Rejected Packets

Purpose Verify that the actions of the firewall filter terms are taken.

Chapter 3: Applying Firewall Filters to Routing Engine Traffic

Action 1. Clear the firewall log on your router or switch.

user@myhost> clear firewall log

2. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the ssh hostname command to verify that you cannot log in to the device using only SSH. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the Packet Forwarding Engine.

user@host-B ssh myhost

ssh: connect to host sugar port 22: Connection refused --- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

3. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the telnet hostnamecommand to verify that you can log in to the device using only Telnet. This packet should be rejected, and the packet header information for this packet should be logged in the firewall filter log buffer in the PFE.

user@host-B> telnet myhost Trying 192.168.249.71...

telnet: connect to address 192.168.187.3: Connection refused telnet: Unable to connect to remote host

4. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.168.1.0/24 subnet.

user@myhost> show firewall log

Time Filter Action Interface Protocol Src Addr Dest Addr 18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 ...

18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1 ...