[GTER] Firewall Juniper/Junos

Rafael Shimokawa rafa_tbod at hotmail.com
Wed Apr 29 14:44:20 -03 2015


Juliano,

Você precisa criar uma lista de acesso que tem permissão do acesso:
 set policy-options prefix-list permitted-ips x.x.x.x/x
Precisa criar o Filtro

set firewall filter permitted-ips-filter term xxx from source-address 0.0.0.0/0set firewall filter permitted-ips-filter term xxx from destination-address x.x.x.x/32set firewall filter permitted-ips-filter term xxx from source-prefix-list permitted-ips exceptset firewall filter permitted-ips-filter term xxx from destination-port xset firewall filter permitted-ips-filter term xxx from destination-port httpset firewall filter permitted-ips-filter term xxx then count deny_countset firewall filter permitted-ips-filter term xxx then discardset firewall filter permitted-ips-filter term permit-all then accept

Aplicar na interface 
set interfaces ge-0/0/0 unit 0 family inet filter input permitted-ips-filter

Não esquecer de liberar quais protocolos e serviços na zona da Interface

Att,
Rafael Shimokawa
MSN: rafa_tbod at hotmail.com
Skype: rafa_tbod


> Date: Wed, 29 Apr 2015 12:03:48 -0300
> From: juliano at cdznet.com.br
> To: gter at eng.registro.br
> Subject: [GTER] Firewall Juniper/Junos
> 
> Ola,
> 
> Estou tentando ativar um firewall na unit de um cliente, segue unit com 
> o filtro ativado no filter input
> 
> show interfaces ge-1/0/8 unit 443
> 
> description "####Testes-Firewall-Junos####";
> vlan-id 443;
> family inet {
>      filter {
>          input Testes-Firewall-Junos;
>      }
>      address 191.243.140.145/29;
> }
> 
> Segue firewall filter Testes-Firewall-Junos
> 
> term 1 {
>      from {
>          protocol tcp;
>          port ssh;
>      }
>      then accept;
> }
> term 2 {
>      from {
>          protocol icmp;
>      }
>      then accept;
> }
> term 5 {
>      then {
>          syslog;
>          reject;
>      }
> }
> 
> 
> Porem quando dou o commit, o filtro bloqueia os pacotes originados do 
> servidor que esta no bloco 191.243.140.145/29, a ideia e bloquear 
> somente o trafego de entrada, que vem de fora internet para o bloco 
> 191.243.140.145/29.
> 
> Alguem que trabalha com Juniper pode me dar uma luz.
> 
> 
> 
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
 		 	   		  


More information about the gter mailing list