can you tell us what model of router it is please, as this technique will vary between platforms

is it a j/m/t series??

ERX?

Netscreen?

????

First, posting a config snippet does not hurt, so please help us with helping you :-)

Second, to make the answer short, please look at JUNOS Secure Template and compare with your config:

1) input filter assigned to loopback interface ?

2) analyze firewall filter (router-protect/router-protect-hardcore) definition

In case of SNMP it's possible to restrict community access to specified prefixes only, but

it's just for snmp and does not protect RE from unwanted traffic. Firewall filters are to

be used anyway.

It is pretty simple and straight forward. I have configured test lab router and it is restricting access to these services the way I want

Restricting access to SNMP:

jahil@r1# show
community hi {
    authorization read-only;
    clients {

    /* allowed-ip or ips, you can also put a configured prefix-list  */
        2.2.2.0/24;
    }
}

Restricting access to TELNET:

filter RESTRICT-TELNET {
    term allowed-host {
        from {
            address {

            /* allowed-ip or ips*/
                2.2.2.2/32;
            }
            protocol tcp;
            destination-port 23;
        }
        then accept;
    }
    term DROP-TELNET {
        from {
            destination-address {
            /* Juniper router ip, you can also specify all the interfaces or their IPs*/

                1.1.1.1/32;
            }
            protocol tcp;
            destination-port 23;
        }
        then {
            reject;
        }
    }
    term DEFAULT {
        then accept;
    }
}

[edit firewall]

It would be nice if juniper guys can allow us to configure an access list to telnet service instead of interfaces. like Cisco "line vty ---access-class"  

HTH

Hi,

Just be sure to put the last term as accept as to allow routing and signaling protocols to function as this may filter routing prtocols packets from reaching the RE

Osama  

Hi,

Can someone help me?

i want to restrict the access to all interfaces, do i have to bind the filter to all of them?
when you say to bind it to lo0, did you mean to lo0 unit 0?
I've a lot of LRs and Routing instances (RI), applying the filter to lo0 unit 0 will restrict access to all LRs and RIs interfaces?

According with you, the following script would work, however...
I already have others lo0 interfaces configured, and i could only have one per LR/RI, so I can't use lo0 unit 0. What should i do?

Thanks in advance!

###Allow access from O&M Network
set firewall filter RESTRICT_SSH_TELNET term ALLOW_SSH_TELNET from source-address X.X.X.X/24
set firewall filter RESTRICT_SSH_TELNET term ALLOW_SSH_TELNET then accept

###Deny telnet and SSH from all others networks
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET from protocol tcp
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET from port [ ssh telnet ]
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then count reject-counter
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then log
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then syslog
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then reject

###Allow all other data
set firewall filter RESTRICT_SSH_TELNET term DEFAULT then accept

###Bind filter to lo0.0 interface
set interface lo0 unit 0 family inet filter input RESTRICT_SSH_TELNET