Junos
Junos

Firewall filter based on ingress interface

‎10-30-2018 08:44 AM

Hi.

 

I have been tyring to secure the management of or EX switches. The setup is that in general we have an inband vlan that we use for management access. This management vlan/subnet is protected by our firewall where we controll access to it.

 

On edge switches this is in general not a problem since they only have one IP-enabled interface, but on some switches that also act as routers, we have more interfaces with IP-addresses. So, I want to lockdown so that only traffic from the management network can have SSH access to the switches.

 

The examples I have seen with firewall filters is always based on that you know the source address of the computer trying to connect. But I want to make this a bit more flexibel and say that only SSH connections comming in from this interface is allowed. Is this possible?

 

Best regards,
Johan Christensson

3 REPLIES 3
Highlighted
Junos

Re: Firewall filter based on ingress interface

‎10-30-2018 12:49 PM

It doesn't support "Interface Filter Match Conditions".

 

Match conditions are below for EX Series.

 

Match conditions—Specify the values or fields that the packet must contain. You can define various match conditions, including the IP source address field, IP destination address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet type, TCP flags, and interfaces.


https://www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-ex-series...
https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-ex-series-overview....



If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
Highlighted
Junos

Re: Firewall filter based on ingress interface

‎12-31-2019 03:30 PM
we can use a filter on the loopback interface with port ssh as the match condition only: 
 
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept
Highlighted
Junos

Re: Firewall filter based on ingress interface

‎12-31-2019 03:31 PM
Feedback