SRX Services Gateway
Highlighted
SRX Services Gateway

Filter only incomming ssh

‎06-29-2020 04:14 AM

Good day,

 

we use an SSH filter for incomming connection to remotly administrator firewalls.

this means we have an list of ip adresses (permited_ssh_hosts) that may connect to the external SSH port.

the firewall rule:

firewall {
    family inet {
        filter protect_ssh_engine {
            term permit_ssh_from_permited_hosts {
                from {
                    source-prefix-list {
                        permited_ssh_hosts;
                    }
                    protocol tcp;
                    port ssh;
                }
                then accept;
            }
            term discard_ssh_from_all_other_hosts {
                from {
                    protocol tcp;
                    port ssh;
                }
                then {
                    discard;
                }
            }
            term permit_all_other_traffice {
                then accept;
            }
        }
    }
}

However this also limits the external SSH connections (from trust to untrust)

i see some solutions where we need to add the external ip adres to the filter rules.

However a large portion of the firewalls do no have a static ip. they use a dynamic provided ip.

 

is there a solution to allow all outgoing traffic and still use an ip filter in incomming ssh?

2 REPLIES 2
Highlighted
SRX Services Gateway
Solution
Accepted by topic author Koos147
‎06-29-2020 07:10 AM

Re: Filter only incomming ssh

‎06-29-2020 05:00 AM

Apply the filter to your loopback interface lo0. Even if there is no address and/or the address is not the management IP it will still filter traffic destined for the RE.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-t...  

Highlighted
SRX Services Gateway

Re: Filter only incomming ssh

‎06-29-2020 07:12 AM

Wouw that was easy. 

we always applied the filter to the untrust interfaces.

thanks for making our life a litle bit easier today.

Feedback