Junos
Reply
Contributor
Arzo
Posts: 172
Registered: ‎11-12-2007
0

SNMP & Telnet Access

i want to configure my router to accept snmp and telnet from specific addresses only, i tried firewall filter as from juniper documents but didnt work out, can anyone help please.
Tariq Morad
Contributor
jrrennie
Posts: 18
Registered: ‎05-18-2008
0

Re: SNMP & Telnet Access

[ Edited ]

can you tell us what model of router it is please, as this technique will vary between platforms

 

is it a j/m/t series??

ERX?

Netscreen?

????

 

 

Message Edited by jrrennie on 06-25-2008 06:49 AM
Contributor
Arzo
Posts: 172
Registered: ‎11-12-2007
0

Re: SNMP & Telnet Access

M7i, Junos is 8.4, thank you.
Tariq Morad
xls
Contributor
xls
Posts: 10
Registered: ‎02-01-2008
0

Re: SNMP & Telnet Access

First, posting a config snippet does not hurt, so please help us with helping you :-)

 

Second, to make the answer short, please look at JUNOS Secure Template and compare with your config:

1) input filter assigned to loopback interface ?

2) analyze firewall filter (router-protect/router-protect-hardcore) definition

 

In case of SNMP it's possible to restrict community access to specified prefixes only, but

it's just for snmp and does not protect RE from unwanted traffic. Firewall filters are to

be used anyway.

 

Super Contributor
masoodnt10
Posts: 80
Registered: ‎06-20-2008
0

Re: SNMP & Telnet Access

It is pretty simple and straight forward. I have configured test lab router and it is restricting access to these services the way I want :smileyhappy:

 

Restricting access to SNMP:

 

jahil@r1# show
community hi {
    authorization read-only;
    clients {

    /* allowed-ip or ips, you can also put a configured prefix-list  */
        2.2.2.0/24;
    }
}

 

Restricting access to TELNET:

 

filter RESTRICT-TELNET {
    term allowed-host {
        from {
            address {

            /* allowed-ip or ips*/
                2.2.2.2/32;
            }
            protocol tcp;
            destination-port 23;
        }
        then accept;
    }
    term DROP-TELNET {
        from {
            destination-address {
            /* Juniper router ip, you can also specify all the interfaces or their IPs*/

                1.1.1.1/32;
            }
            protocol tcp;
            destination-port 23;
        }
        then {
            reject;
        }
    }
    term DEFAULT {
        then accept;
    }
}

[edit firewall]

 

 

It would be nice if juniper guys can allow us to configure an access list to telnet service instead of interfaces. like Cisco "line vty ---access-class"  

 

HTH

Regards,
Masood
BLOG: http://weblogs.com.pk/jahil/
xls
Contributor
xls
Posts: 10
Registered: ‎02-01-2008
0

Re: SNMP & Telnet Access

Masood,

where are you applying the RESTRICT-TELNET filter ? It's enough to apply it to loopback to filter packets sent to the RE (control/mgmt plane):


lo0 {
    unit 0 {
        family inet {
            filter {
                input router-access;
            }
            address 127.0.0.1/32;
        }
    }
}


There is no need to specify router's IPs (as in your term DROP-TELNET); matching destination telnet port (tcp 23) is enough. The filter assigned on lo0 input affect traffic to RE only, not router transit traffic.

Configuring firewall filter on lo0 is similar to Cisco 'line vty' ACLs (just 1/2 terms for SSH/Telnet services), but it covers more than just simple device VTY access control.

 

Applying filters to interfaces (non lo0) is a not good way to protect router's RE.

 

Again, reading the JUNOS Secure Template is a good start.

 

Contributor
Arzo
Posts: 172
Registered: ‎11-12-2007
0

Re: SNMP & Telnet Access

thank you all for your great answers, i will test it soon and let you know my feedback, thanks again.
Tariq Morad
Regular Visitor
Osama
Posts: 7
Registered: ‎05-25-2008
0

Re: SNMP & Telnet Access

Hi,

 

Just be sure to put the last term as accept as to allow routing and signaling protocols to function as this may filter routing prtocols packets from reaching the RE

 

Osama  

tma
New User
tma
Posts: 1
Registered: ‎08-14-2009
0

Re: SNMP & Telnet Access

Hi,

 

Can someone help me?

 

i want to restrict the access to all interfaces, do i have to bind the filter to all of them?
when you say to bind it to lo0, did you mean to lo0 unit 0?
I've a lot of LRs and Routing instances (RI), applying the filter to lo0 unit 0 will restrict access to all LRs and RIs interfaces?


According with you, the following script would work, however...
I already have others lo0 interfaces configured, and i could only have one per LR/RI, so I can't use lo0 unit 0. What should i do?

 

Thanks in advance!

 

###Allow access from O&M Network
set firewall filter RESTRICT_SSH_TELNET term ALLOW_SSH_TELNET from source-address X.X.X.X/24
set firewall filter RESTRICT_SSH_TELNET term ALLOW_SSH_TELNET then accept

 

###Deny telnet and SSH from all others networks
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET from protocol tcp
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET from port [ ssh telnet ]
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then count reject-counter
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then log
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then syslog
set firewall filter RESTRICT_SSH_TELNET term DENY_SSH_TELNET then reject

 

###Allow all other data
set firewall filter RESTRICT_SSH_TELNET term DEFAULT then accept

 

###Bind filter to lo0.0 interface
set interface lo0 unit 0 family inet filter input RESTRICT_SSH_TELNET

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.