[GTER] Firewall Juniper/Junos
Rafael Shimokawa
rafa_tbod at hotmail.com
Wed Apr 29 14:44:20 -03 2015
Juliano,
Você precisa criar uma lista de acesso que tem permissão do acesso:
set policy-options prefix-list permitted-ips x.x.x.x/x
Precisa criar o Filtro
set firewall filter permitted-ips-filter term xxx from source-address 0.0.0.0/0set firewall filter permitted-ips-filter term xxx from destination-address x.x.x.x/32set firewall filter permitted-ips-filter term xxx from source-prefix-list permitted-ips exceptset firewall filter permitted-ips-filter term xxx from destination-port xset firewall filter permitted-ips-filter term xxx from destination-port httpset firewall filter permitted-ips-filter term xxx then count deny_countset firewall filter permitted-ips-filter term xxx then discardset firewall filter permitted-ips-filter term permit-all then accept
Aplicar na interface
set interfaces ge-0/0/0 unit 0 family inet filter input permitted-ips-filter
Não esquecer de liberar quais protocolos e serviços na zona da Interface
Att,
Rafael Shimokawa
MSN: rafa_tbod at hotmail.com
Skype: rafa_tbod
> Date: Wed, 29 Apr 2015 12:03:48 -0300
> From: juliano at cdznet.com.br
> To: gter at eng.registro.br
> Subject: [GTER] Firewall Juniper/Junos
>
> Ola,
>
> Estou tentando ativar um firewall na unit de um cliente, segue unit com
> o filtro ativado no filter input
>
> show interfaces ge-1/0/8 unit 443
>
> description "####Testes-Firewall-Junos####";
> vlan-id 443;
> family inet {
> filter {
> input Testes-Firewall-Junos;
> }
> address 191.243.140.145/29;
> }
>
> Segue firewall filter Testes-Firewall-Junos
>
> term 1 {
> from {
> protocol tcp;
> port ssh;
> }
> then accept;
> }
> term 2 {
> from {
> protocol icmp;
> }
> then accept;
> }
> term 5 {
> then {
> syslog;
> reject;
> }
> }
>
>
> Porem quando dou o commit, o filtro bloqueia os pacotes originados do
> servidor que esta no bloco 191.243.140.145/29, a ideia e bloquear
> somente o trafego de entrada, que vem de fora internet para o bloco
> 191.243.140.145/29.
>
> Alguem que trabalha com Juniper pode me dar uma luz.
>
>
>
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
More information about the gter
mailing list