Hi, I wrote something about controling management access to a SRX (or J-serie of course) what might be usefull to to other memebers of this forum:
Introduction.
A lot of engineers who switch from ScreenOS to JUNOS are missing the manager-ip functionality found in ScreenOS. This technote gives a similar functionality for a srx or J-series.
Solution.
The solution found here is described is many documents, but I tried to make a small summary. Look for “protecting the Routing Engine” when looking for background information.
The srx does not have the manager-ip build-in. Coming from the packetbased JUNOS version something can be build to achieve the same functionality. The core of this are stateless firewall filters. This filters can be applied to interfaces. But instead of applying it to all interfaces it’s applied between the PFE (packet forwarding engine) and the RE (Routing Engine). Consider that as at the point traffic enters the SRX itself instead of being forwarded. They way to do this is to apply a filter to the loopback interface. The loopback stack is used in sending traffic from PFE to RE.
On packetbased JUNOS you have to write rather complex filters, but for the SRX most for the work is already done in zone or interface host-inbound-traffic settings.
The add-on done here is to filter on prefixes.
The first step in the config is to create a list of networks (or hosts) allowed to manage. For this you can use a prefix-list:
policy-options {
prefix-list manager-ip {
10.0.0.0/8;
192.168.4.254/32;
}
}
This list is referenced in the actual filter, so this is where you can change your manager-ip’s!
The next step is to write a filter. On tricky thing here is you have to include all your management services in the first term! (Don’t forget NSM when you use it)
firewall {
filter manager-ip {
term block_non_manager {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
manager-ip except;
}
protocol tcp;
destination-port [ ssh https telnet http ];
}
then {
discard;
}
}
term accept_everything_else {
then accept;
}
}
}
As you can see management traffic (when using a port listed in destination port) is rejected except when coming from an address listed in the prefix-list “manager-ip”.
Finally we have to apply this filter to the loopback interface:
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input manager-ip;
}
}
}
}
}
And don’t forget to commit confirmed when trying this on a remote system…….
For those of you who want to copy the code with copy paste into the config: (You should start reading on load terminal, but this is maybe easier)
set policy-options prefix-list manager-ip 192.168.4.254/32
set policy-options prefix-list manager-ip 10.0.0.0/8
set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0
set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip except
set firewall filter manager-ip term block_non_manager from protocol tcp
set firewall filter manager-ip term block_non_manager from destination-port ssh
set firewall filter manager-ip term block_non_manager from destination-port https
set firewall filter manager-ip term block_non_manager from destination-port telnet
set firewall filter manager-ip term block_non_manager from destination-port http
set firewall filter manager-ip term block_non_manager then discard
set firewall filter manager-ip term accept_everything_else then accept
set interfaces lo0 unit 0 family inet filter input manager-ip